How Not To Secure Your Company (Target Data Breach)

Kevin Fang
4 Sept 202309:55

Summary

TLDRIn 2013, a phishing email led to the Citadel Trojan breach at Fazio Mechanical, which had a contract with Target. The hackers infiltrated Target's network, escalating privileges to access point of sale systems and steal 40 million credit cards and 70 million customer records. The breach exposed poor network segmentation and security practices, resulting in significant financial and reputational damage to Target.

Takeaways

  • 🏢 Fazio Mechanical, an HVAC company specializing in commercial refrigeration, had a contract with Target, giving them access to various web applications for business purposes.
  • 🔗 The initial breach began with a phishing email that tricked a Fazio employee into downloading and running a PDF attachment, which released the Citadel Trojan into the company's system.
  • 🤖 Citadel is a sophisticated spyware system designed to steal credentials through various methods, including keylogging, screenshotting, and man-in-the-browser attacks.
  • 🛡️ Fazio's security measures were inadequate, relying on a free version of Malwarebytes that lacked real-time monitoring, allowing the hackers to remain undetected.
  • 💻 The hackers leveraged an exploit in one of Target's web applications to gain remote code execution, which then allowed them to install a backdoor and gain direct server access.
  • 🕵️‍♂️ The attackers infiltrated Target's network, escalating privileges to gain access to highly permissive users, such as the Domain Administrator.
  • 🔄 Weak or default passwords, unpatched systems, and missing network segmentation made it easier for the hackers to move laterally within Target's network.
  • 💳 The ultimate goal of the hackers was to access the point of sale (POS) systems to steal credit card information, which they achieved using the BlackPOS malware.
  • 💳‍♂️ BlackPOS is a RAM scraping tool that can be purchased on cyber crime forums, designed to steal credit card data from infected POS systems.
  • 🔒 The stolen data was encrypted and obfuscated within a DLL file, then exfiltrated through a compromised server to a Russian FTP server.
  • 🚨 Target's security system, FireEye, detected the exfiltration malware multiple times, but the alerts were ignored as false positives, allowing the breach to continue.
  • 📉 The breach had a significant financial impact on Target, with a 46% drop in net profit in Q4 and a loss of customer trust.
  • 🛡️ In response to the breach, Target invested heavily in security, including additional personnel and the establishment of a cyber fusion center to better respond to threats.
  • 📈 Modern POS systems now favor EMV cards, which are more secure against such attacks due to their unique transaction codes, making card scanning attacks less common.

Q & A

  • What type of company is Fazio Mechanical and what was their contract with Target for?

    -Fazio Mechanical is an HVAC company specializing in commercial refrigeration. They had a contract with Target that allowed them access to various Target web applications for electronic billing, contract submission, and project management purposes.

  • How did the hackers initially gain access to Fazio Mechanical's systems?

    -The hackers gained initial access through a phishing email that led a Fazio employee to download and run a PDF attachment containing the Citadel Trojan, a universal spyware system.

  • What are some of the methods Citadel uses to steal credentials?

    -Citadel uses methods such as keylogging, screenshotting, video capturing websites of interest, and man-in-the-browser attacks to steal credentials.

  • How did the hackers bypass Fazio's security measures?

    -The hackers bypassed Fazio's security measures by exploiting the limitations of the free version of Malwarebytes, which lacked real-time monitoring that could have detected the intrusion.

  • What was the vulnerability in one of Target's websites that allowed the hackers to execute remote code?

    -The vulnerability was an exploit on one of Target's websites that allowed for some level of remote code execution, which is one of the most devastating security vulnerabilities.

  • How did the hackers escalate their privileges within Target's network?

    -The hackers escalated their privileges by exploiting weak or default administrator passwords, missing critical security patches, and known exploits in applications that could be used to dump credentials.

  • What was the role of BlackPOS in the Target data breach?

    -BlackPOS was a malware designed to steal credit card information from Windows-based point of sale machines. It performed RAM scraping attacks to extract credit card data from the infected point of sale devices.

  • How did the hackers transfer the stolen credit card data out of Target's network?

    -The hackers encrypted the stolen credit card data and saved it in a DLL file for obfuscation. A separate data exfiltration malware installed on a compromised server within Target's network was used to transfer the stolen data to a Russian FTP server.

  • What was the impact of the data breach on Target's finances and reputation?

    -The data breach had a significant impact on Target's finances, with net profit dropping 46% in Q4. It also led to a loss in customer trust and the resignation of the CEO.

  • What security measures did Target implement after the breach to improve their network security?

    -Target invested hundreds of millions into additional security personnel and built a cyber fusion center to better respond to daily threats. They also commissioned another pentest and improved their network segmentation and security protocols.

  • What is the current status of the hackers involved in the Target data breach?

    -The main hackers involved in the Target data breach have not been caught. However, some developers and distributors of the Citadel Malware have been arrested and sentenced over the years.

Outlines

plate

此内容仅限付费用户访问。 请升级后访问。

立即升级

Mindmap

plate

此内容仅限付费用户访问。 请升级后访问。

立即升级

Keywords

plate

此内容仅限付费用户访问。 请升级后访问。

立即升级

Highlights

plate

此内容仅限付费用户访问。 请升级后访问。

立即升级

Transcripts

plate

此内容仅限付费用户访问。 请升级后访问。

立即升级
Rate This

5.0 / 5 (0 votes)

相关标签
Cyber AttackTarget BreachHVAC CompanyPhishing ScamCitadel TrojanCredential TheftRemote CodeSQL InjectionBlackPOS MalwareData ExfiltrationSecurity FlawsNetwork SegmentationZero TrustEMV AdoptionCybersecurityHacking TacticsPoint of SaleData SecurityMalware DetectionClass Action Suit
您是否需要英文摘要?