In light of the recently reported cyber attack against JPMorgan Chase and other financial institutions, it might be useful to look back at last year’s attack against Target that exposed millions of credit card credentials. A new report released today by Aorato, a cyber security startup, details the path that the Target hackers took step-by-step from the initial breach through the extraction of millions of records from Target’s systems.
[For More on the JPMorgan Chase attack: Russian Hack Attack on Banks: Is This the Big One?]
Although other reports have detailed how hackers initially gained entry to Target’s network (through a malware attack against one of Target’s vendors), this new report offers new insight on how the hackers managed to gain entry to Target’s point-of-sale systems from that initial breach.
“Two important questions still hadn’t been answered [about the attack],” Tal Be’ery, Aorato’s VP of research, says. “How were they able to propagate into the heart of the network, and how did they steal 70 million customers’ Personally Identifiable Information [PII] but only 40 million credit card credentials?”
After stealing the vendor’s credentials and gaining access to Target’s web app for vendors, the attackers exploited an app vulnerability that eventually allowed them to query the Active Directory in Target’s network to identify targets in the network to infltrate. They then used a pass-the-hash attack to gain domain admin credentials to the network’s Active Directory and create a new admin account for themselves. They bypassed network security measures like firewalls through a network tunnel, and propagated to a computer that allowed them to infiltrate a database containing sensitive customer data.
However, presumably to the dismay of the hackers, the database they infiltrated was PCI compliant, and did not contain any credit card credentials. This database is where the 70 million customers’ PII came from, according to the report. Finding no credit card information in the database, the hackers then switched their approach, and installed malware on thousands of Target's point-of-sale terminals that collected the 40 million stolen credit card credentials.
Throughout the attack, the hackers hid their activity by disguising themselves as legitimate users of the network. For instance, when they created their own domain admin account in the Active Directory, they chose the user name of a known component of the network. Despite this disguising of their activities, behavioral analysis and new user monitoring could have exposed those activities, Aorato’s Be’ery says. However, many companies don’t keep data on who has access to what computer in their network.
“Organizations need that data and they need the analytics to tell what is normal behavior. An attacker with a single account – you’d be able to spot that right away,” he says.
Network segmentation is also key to limiting access to the most sensitive parts of a network, such as Target’s point-of-sale terminals, according to Be’ery. “You have to accept that at some point you will be infected by malware… You have to try and limit the consequences to a couple of infected computers and keep it confined by segregating networks with very sensitive information from other networks connected to the internet.”
These same protection measures likely could help JPMorgan and other banks that were hit by the attack announced yesterday, Be’ery believes. Early reports indicate that the hack against JPMorgan was initiated through the infection of an employee’s computer that was attached to the bank’s VPN.
“There seems to be the same elements on the attacker side as with the Target case – penetration through an internet-facing system (the VPN) and moving further into the bank’s inner systems… Therefore the same measures (behavioral analytics, new user monitoring, network segmentation, etc.) are relevant in thwarting such attacks.”