Target: A Warning To System Administrators
The biggest security story of 2014 to date has been the massive Target data breach. Over several weeks in late 2013 (including Black Friday), the network of the retailer was breached by attackers and malware was planted onto their point-of-sale (POS) machines and used to steal the credit card information of approximately 40 million shoppers. In addition, the personal information (such as names, addresses, and phone numbers) of another 70 million customers was also taken. We noted in our 2014 predictions that we believed that there would be one major data breach per month.
There is no denying the scale and severity of this breach. While much ink – online and offline – has been focused on matters like who the author of the malware was, in the longer view what’s important to note is that there were many ways this attack might have been prevented – or security steps that could have been taken to thwart this kind of attack.
For example, POS systems represent a near-ideal situation for whitelisting and/or locked down systems: there is no compelling need to run general-purpose applications on a POS system. A locked down system would have made it more difficult to run malware on the POS devices.
Alternately, it is highly unlikely that such a large-scale attack was carried out with malware installed onto POS systems on an individual basis. It’s almost certain that some form of remote management software was used to install the malware onto the POS systems. This isn’t the first time that systems used to automatically install software onto systems has been compromised; last year the auto-update system of several applications in South Korea was used to plant malware onto affected systems.
The movement of such significant amounts of data across networks should also have been detectable as well. Network defense solutions would have been able to detect the internal network traffic used by this attack, or the data exfiltration traffic, or both.
The broad outlines of this attack are known, but specifics – such as what exact security procedures were in place and how/if they were evaded – are not yet public. However, businesses that handle critical data can take this incident and use it to determine if they, too, are at risk from similarly well-executed attacks. Companies in such a situation should double-check that all possible security procedures and products are in use and set up correctly, as well as for trained IT personnel to handle incidents as they happen.
One thing that is clear is that for high-value targets, simple endpoint security is no longer sufficient. As we mentioned earlier, protections based on detecting network and system behavior (such as Deep Discovery and Deep Security) would have been very useful in dealing with these kinds of threats. Enterprises that do not have these solutions in place should consider implementing them in order to be able to guard against similar attacks; there is a good chance that other companies in similar situations will now have to deal with copycat attacks.
We detect the malware that we believe was used in this attack as TSPY_POCARDL.AB and TSPY_POCARDL.U; if any related threats are found we will release further protection as necessary. Frequently asked questions about this incident are answered in the Simply Security blog.