Step 11 of Target attacks

Step 11 of Target attacks

Recently, Aorato, an Active Directory Monitoring and Protection Expert, targeted at Target data leakage, hackers made a step-by-step report on how they used air-conditioning suppliers to steal data from 70 million customers and 40 million credit and debit cards.

According to a new study by the security company Aorato, after the leakage of personal identifiable information (PII), credit card and debit card data at the beginning of this year, the company's new PCI Compliance Plan has dramatically reduced the scope of the damage.

Using all available public reports, Aorato's Chief Researcher Tal Aorato 'ery and his team recorded all the tools used by attackers to attack the Target and created a step-by-step process, to describe how attackers penetrate into retailers, spread in their networks, and finally capture credit card data from the PoS system.

The details about the accident are still vague, but Be ery believes that it is necessary to understand the entire attack process, because hackers still exist.

Tracking attacks is like network ancient biology.

And Be 'ery acknowledges that the security company Aorato may have incorrect descriptions of some details, but he is sure that he is correct about the reconstruction of the Target network system.

"I like to call it network ancient biology," Be 'ery said. Many reports claim that many attack tools have emerged in this incident, but they have not explained how attackers actually use these tools. This is like a dinosaur bone, but does not know what the dinosaur looks like. Fortunately, we know what other dinosaurs look like. With our knowledge, we can reconstruct this dinosaur model.

In December 2013, during the middle of the busiest shopping season of the year, the comments about Target data leakage turned back to the tide. Soon the stream turned into a flood of traffic. What became increasingly clear was that attackers had obtained personal identity information of 70 million consumers and 40 million credit card and debit card data. Target's CIOs [note] and chairman, president and CEO have resigned. Analysts said the estimated economic losses could reach $1 billion.

Most people who know about the above events know that it begins with stealing the credit credential of the Target supplier. But how does an attacker gradually penetrate the core business system from the boundaries of the Target network? Be 'ery believes that the attacker has carefully considered 11 steps.

Step 1: install malware that steals credit card creden

The attacker first stole the credential of the Target air conditioner supplier Fazio Mechanical Services. According to Kreson Security, which first broke the compliance story, the attacker first carried out phishing activities that infected suppliers by email and malware.

Step 2: Use the stolen credential to establish a connection

Attackers use stolen creden。 to access the Target's home page of a service provider. In a public statement after the violation, the chairman and holder of Fazio Mechanical Services Ross Fazio said the company did not remotely monitor Target heating, cooling and cooling systems. The data connected to the Target network is used for electronic bills, contract submission, and project management.

This Web application is very limited. Although attackers can now use Web applications hosted within the Target to access the Target, the application still cannot execute arbitrary commands, which will be very urgent during the attack process.

Step 3: Develop Web program vulnerabilities

Attackers need to find a usable vulnerability. Be 'ery identifies an attack tool named "xmlrpc. php" listed in the public report. "According to the Aorato report, when all other known attack tool files are Windows executable files, this is a PHP file that runs scripts in a Web application.

 

"This file indicates that attackers can use a vulnerability in a Web application to upload PHP files." The Aorato report shows that the Web application may have a function to upload valid files, such as invoices. However, as accidents often occur in Web applications, there is always no proper security check to ensure that executable files are not uploaded.

Malicious scripts may be a "Web shell", a backdoor that is based on the Web and allows attackers to upload files and execute arbitrary operating system commands. "Attackers know that they will finally steal credit cards and use bank cards to obtain funds," he explained. They sold credit card numbers on the black market and soon Target was notified of Data leaks.

Step 4: careful investigation

At this time, attackers have to slow down and perform some reconnaissance. They have the ability to run arbitrary operating system commands, but further operations require intelligence from the Target's internal network, so they need to find the server that stores customer information and credit card data.

The Target is the Target's Active Directory, which includes all the members of the data domain: users, computers, and services. They can use internal Windows tools and LDAP protocols to query active directories. Aorato believes that attackers only retrieve all services that contain the string "MSSQLSvc" and then infer the purpose of each server by viewing the server name. This may also be a process that attackers can use later to find the PoS-related machine.

Using the target name, Aorato believes that the attacker will then obtain the IP address of the DNS server to query.