This week, I'm diving in to the 2013 hack of Target, which lost over 40 million instances of customer data, including some pretty heavy information. Find out how it moved around with me this week while I explain What the Shell happened.
Follow me on twitter and Instagram @shell_pod , email me at shellpod@protonmail.com , and check out the new site at https://whattheshellpod.com
It's the holidays. For you, it might be time to put up some decorations, make plans with family, or just enjoy some time to yourself. For most, it's also a time for gifts. Do you have a favorite store you like to get gifts at? Well, what if you found out that store lost some of your data? How would you react? What about if that data was your credit card information, and your personal information? An what if you were just one of 40 million customers it happened to? How would you react?
My name is John Kordis. And this week I'm inviting you to join me back in 2013. When one of the biggest retail giants suffored such a massive breach of security it would set new standards across the industry. An attack that highlighted how some of the biggest threats can come from some surprising places. This week, we're going to Target.
Intro
There's this thought I've been having since last weeks episode. I keep coming back to T4NK and something he said.
"I'm not gonna start with you, I'm going to start with the people around you"
It's been popping around in my head because that kind of mentality is something we've talked about quite a bit. There's a similar methodology in hacking. Just like how T4NK might be able to get more information about you from those around you than yourself, a hacker might not necesarrily get the best picture of their target by going straight at the source.
There are these tangential points of entry into our networks, into our lives, into our systems that are all along the chain of attack that might reach right back to you. Or in this case, Target.
Let's start with this. I'm going to put you in position this episode as the attacker.
So you're going to look at Target and see that maybe it's a bit too big to start off there. After all, a top retailer is going to have some pretty decent security, and frankly quite a lot of potential avenues in the form of people. So, how do you even go about starting this, especially if you don't want to tip them off that you're going to be snooping around?
Maybe you start one degree out from the target, so let's ask who interacts with Target. Well. You've got the customers, and frankly that's not going to get you inside the network. But you've also got the suppliers, and the vendors. All these places that Target needs to talk to and interact with to do business. So we're going to go back to our roots. Let's just google "Target Vendors" and see what we can find.
We're in luck. Because not only is there information to be gathered from this. There's a whole site dedicated to it. At the time, Target had open access to what was called their "Target Supplier Portal". That site, was a place for vendors to come and find information how they can properly start or continue the process of working with Target. Just from navigating around it you were able to find a myriad of information on what vendors Target is using. Digging a bit deeper into the site, you'll also find a pretty easily accesible part titled "Target Facilities Management". On that page you're able to see how you can submit work orders if you'd like. Not much in the way of value there. You might be able to disrupt service if you submitted enough, but that's not what you're after at all. Is it?
Then you notice it, a "Supplier Downloads" page. And on that page is a list of more companies that Target interacted with, this time largely related to HVAC and Refrigeration companies.
A little more recon and you're downloading a couple of listed excel files, packing up all your new intelligence and heading off for the time being.
Now those excel files, let's take a look at them. You're a hacker in this case. So you might look at these files and see them as just sheets of HVAC and vendor Data. But you know there's more than what's on the surface.
See, every file has these tags that you might have heard of, called MetaData. Metadata is to files what genetic markers might be to people. It contains details about the makeup of the file that might be able to give you more clues into the bigger picture of where it came from. And there are tools out there that will pretty easily extract all this data for you to examine. It's why a lot of websites like Instagram and Facebook, scrub that data now. For a long time, one piece of meta data that was included in your uploads was the geo-tag location data for where that picture was taken. And it led to a lot of problems.
So from a file you found called "FM_HVAC_OCT_2011", according to Brian Krebs, you might have been able to see that the file was worked on by a user named "Yadetta Daleso" and it recently was printed to a server in the target domain. So now you have some visibility into how they name their systems, and to what some close stops on the network might be. But just because you know it's there doesn't mean it's reachable yet.
Let's take a look at that data we aquired again. At this point we know a bunch of vendors and facilities contractors. We've got our open source intelligence a pretty far ways in, so why not try to break something. It was at this point, somewhere early in the year, at least 2 months before the data breach….that a phishing campaign was launched.
When we talked about phishing campaigns last, I mentioned something pretty important. I said attackers don't often care if you don't respond. As long as someone does. 20,000 emails could be sent, and if I can get even one person to fall for it, that's all I'll need.
While we don't know how many people fell for this campaign that was launched against the Target vendor, what we do know is that the attacker made their way into a company called Faizo Mechanical.
Faizo isn't massive, but it's no small business either. They did work with target in five states, with their business being located in Pennsylvania. What did they do? Well, specifically here they built and maintained the refrigerators that the Target Grocery store aisles worked on.
So you sent these phishing campaigns with one goal. I want a user to open a file, and I'll end up installing a specific piece of malware. This Malware, was called Citadel. Citadel was specially crafted though, based around a framework of an already existing malware called Zeus which was used for more banking based attacks.
It would use various techniques to hide itself in your Windows installation and watch, always looking. But what was it looking for? Passwords, mainly. The malware would look for passwords that were typed, or stored in any kind of password manager, then store them all in one central it had set up.
And if you wait long enough, that credential base is going to build up. Once they exfiltrated it, an attacker might find the credentials used for that Target Vendor Portal we talked about earlier.
And this is where we start to venture more into conjecture at this point. Investigators and researchers are mostly ceterain that this was the entry vector but there's been some differing opinions on how they moved around from here. But, one thing Target did might give us a bit of a more clear picture.
Target hired Verizon. And you might be thinking to so yourself, why would they hire Verizon, well one of their more niche things offered are a suite of security services and they're actually rather decent.
So Target Corp hired Verizon to assess their networks for weaknesses. This would accomplish a few things, it might gain some insight into how the attackers could have moved, and it would have potentially opened up visibility into places that hadn't been checked for compromise.
Here are some of the bigger takeaways from that assessment
- Verizon believes that Faizo had access to a VPN connection that they used to remote into Target's network in order to complete whatever tasks could be done off site.
- Verizon found found “no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.”
- If that doesn't make sense to you don't worry. What that means is that there should have been a system in place where systems only talk to where they need to communicate to. I keep trying to find myself a quirky comparison to make here but it's all kind of failing in comparison to the real thing so here it is. Verizon compromise a cash register from somewhere you would least expect. Think about all the possible computers in a target store and guess something you think here. If you guessed "deli meat scale" you're right… but please get help. WHY would these need to ever talk to eachother?
So do you see yet how A+B=C ? That fact that all systems in store could communicate, and the fact that Faizo had remote access to equipment, meant that transitively, Faizo had access to all the systems in the store….even if they didn't realize it. And using that flaw in their network setup, over 1800 registers were impacted by malware.
Past that, Verizon and Target Information Security specialists were able to explait a weak password enforcement, default password findings, and severely out of date systems to move laterally where they needed to. Even going so far as to get administrator access without any problems.
By coming in hard through the gate with the vendor access to mainline systems, they were able to place their malware wherever they wanted and sit and wait for the information to come to them.
The malware they would place at Target, wasn't necessarily Citadel though. It was called BlackPOS and it wasn't just used at Target, it was also used within that year following to get PF Changs and Home Depot.
The malware disguised itself on registers as a windows service that would start automatically each time the system turned on. Then it did two things, looked for a communication path back to a drop computer and for anything service that could communicate to the card reader.
So what was lost at this point? Personal data, and a lot of it. Imagine having eyes on every transaction for just one register. Now imagine that on an exponentially larger scale. Every day, between November 27th and December 15th in 2013.
What they made out with? About 40 million debit and credit card numbers, including the cvv number, expiration date, and name of the account holder.
Once the data had accumulated it was offloaded into what were essentially drop spots in the form of computers across the US and other countries that weren't actually where the attacker was, but was something they could access to retrieve their loot without being caught. These were legitimate businesses that had also been hacked but where serving as data mules for the hackers here.
After that it was just a matter of time to sell them on the dark market online. Within a few weeks, millions of cards were being sold on many Dark Web Sites, one in particular of note is called Rescator[dot]la . It's run by someone with the alias of, you guessed it, Rescator. And this guy ran at least 4 other sites geared toward selling card data.
One truly bizarre fact that came out of this is that there were banks, such as the New England Bank, which opted to try and buy their own card data back to get it out of the wild. Of the 20 they bought back, only one was invalid and all had been recently used at Target Stores between the impacted dates. From there the bank would monitor for fraud and cancel where they needed to. Some had already had quite a large bit of damage done inclduing being used to buy crypto currency.
So who owned it all, who was Rescator? A young 17 year old Ukranian by the name of Andrey Hodirevski.
There wasn't evidence to necessarily sell him on having committed the hack, but there was enough to charge him on the selling of data. Brian Krebs, who intereviewed him suggested that Rescator may or may not have been involved in the hack itself, but he must know who was involved with it.
And unfortunately, that's pretty much it. The people who have been charged were largely tangetnial to whoever actually launched the attack. We have Andrey, who profited off the data breach by selling card informaton and in 2017 a Latvian Man by the name of Ruslan Bondars was sentenced to 14 years in prison. Ruslan, who is currently around 40 years old, didn't have a direct hand in the attack, but he did help enable it. He ran a popular tool in the malware development underground called Scan4You.
Scan4You was basically the exact opposite of an antivirus program. It would let hackers scan their malware and would report on ways in which it might be detectable, so that you could go back and retweak it until popular scanning tools wouldn't be able to find it right away. It was found that Scan4You was used by whoever hacked Target. That meant that Bondars, and his partner Jurijs Martisevs were held at least partially accountable for these actions.
I think it's a safe bet to assume that the hacker came from that part of the world, given the ties binding them to the area, but it's interesting here that in lieu of the actual hacker we went after what was effectively their supply chain. Maybe even cutting off their ability to effectively work for a little bit.
At the end of the day though, I keep coming back to one question. We know who was involved, but who's at fault here?
Every piece of this puzzle adds up to a picture of lacadaisical security practices. Let's retrace our way in.
If we go back to Faizo, we can find that while they had some anti-virus scanning capabilities, they were not properly configured. A typical anti-virus scanner would run automatically for example, but Faizo was using theirs on an on-demand basis. That meant that someone needed to manually run a scan for it to happen. In my experience and personal opinion, it would be nearly impossible to have a consistent 100% coverage in this kind of environment. Imagine at a company, needing to manually trigger something on each device, meaning you would need to know all the devices out there including any new ones. Or that you would have to find the ones that might not be online and get them online for a scan. It's quite a changing landscape and hard to keep track of sometimes. Some of the researchers who were involved in investigating had the opinion that if automatic scanning had been enabled, the initial attackers wouldn't have been able to keep persistent access to the network and might not have been able to move to Target. And it's a fair point in my opinion.
But the other place that might shoulder some of the blame is Target itself. Throughout the Verizon security audit, it was found that Target had continuously allowed for subpar security practices. They didn't segment their networks at all, as we discussed. But they also had a very minimal password security policy. When looking at a list of the top used passwords discovered you can see a couple things that should jump out. The top words that passwords were derived from starting with the most prevalent? Target, stores, train target with an @ symbol for the a, and summer.
For anyone who isn't familiar there are certain guiding principles with password management for companies. You don't allow your company name, don't allow a year, don't allow a month or season, and rule out any geographical stuff like sports names or cities. All of that can be used together with password cracking tools to try and brute force into an account using simple variations. I'm sure whoever used the @ symbol thought they were being clever but it's actually coded into wordlist creating tools to create variations of the words where any letter can be substituted for numbers or symbols. So while it might fool a human guesser, it's no match for the machine.
Why is that important? Well, it means that the attackers probably didn't have to do too much to get admin access if they really wanted it.
On top of that, they found that many machines in their critical infrastructure were severely behind on patching. This lag in applying security patches meant that in addition to all the guessing going on, there was a plethora of already available security vulnerabilities for anyone to move around the network on. And Verizon, with help from the Target Red Team, were able to exploit several of these during the audit. Going from the initial point of entry up to the highlest level or permissions available.
So while Target was definitely a victim here, it's hard not to be upset because they clearly were not doing their due dilligence. That's partially why a class action suit was filed against them too. Claims from 47 different states resulted in just 18.5 milion dollars in settlement charges. Which is crazy to me because that's when you consider over 40 million compromises, that's less than a dollar per. All in all it cost target a lot more though, with people estimating up to a billion dollars in costs to include investigations, process updates, new hires, and changing their security posture from the ground up.
Personally, I don't think there's one fault here that could have caused this. It seems like this was going to be the outcome no matter what, there just might have been different paths to get there. No one is 100% blame free, but that's typically how it goes with these things. It's a bit of a grey area, but it's been one that's been fun to navigate and show you all.
And that's it. I'm John Kordis, and thanks for listening to me explain What the Shell happened at Target. Before I go, this week, I have something special for you. If listening on your phone isn't the optimal place or you want more content, you can check out my new website. WhatTheShellPod.com . There you'll find links to all of our episodes, playable in browser. You'll also find links to our various social pages including our discord channel where you can come and discuss episodes with me and others In the community.
If that's not your cup of tea, you can always follow me on twitter or instagram @shell_pod. I'll actually be posting a diagram of what this attack might have looked like from one of the reports I found there so go take a look. Thank you for tuning in for another episode, I'll see you in two weeks with the last episode of 2021.