Step 2: Connect Using Stolen Credentials
Be'ery says the attackers used the stolen credentials to gain access to Target-hosted web services dedicated to vendors. In a public statement issued after the breach, Fazio Mechanical Services President and Owner Ross Fazio said the company "does not perform remote monitoring or control of heating, cooling or refrigeration systems for Target. Our data connection with Target was exclusively for electronic billing, contract submission and project management."
This web application was very limited, Be'ery says. While the attackers now had access to a Target internal web application hosted on Target's internal network, the application did not allow for arbitrary command execution, which would be necessary to compromise the machine.
Step 3: Exploit a Web Application Vulnerability
The attackers needed to find a vulnerability they could exploit. Be'ery points to one of the attack tools listed in public reports on the list, a file named "xmlrpc.php." According to Aorato's report, while all the other known attack tool files are Windows executables, this was a PHP file, which is used for running scripts within web applications.
"This file suggests that the attackers were able to upload a PHP file by leveraging a vulnerability within the web application," The Aorato report concludes. "The reason is that it is likely the web application has an upload functionality meant to upload legitimate documents (say, invoices). But as often happens in web applications, no security checks were performed in order to ensure that executable files are not uploaded."
The malicious script was probably a "web shell," a web-based backdoor that allowed the attackers to upload files and execute arbitrary operating system commands.
Be'ery notes that the attackers likely called the file "xmlrpc.php" to make it look like a popular PHP component — in other words the attackers disguised the malicious component as a legitimate one to hide it in plain sight. This "hiding in plain sight" tactic is a hallmark of these particular attackers, Be'ery says, noting that it was repeated multiple times throughout the attack.
"They know they're going to get noticed in the end because they're stealing credit cards, and the way to monetize credit cards is to use them," he explains. "As we saw, they sold the credit card numbers on the black market and pretty soon afterward Target was notified of the breach by the credit card companies. The attackers knew that this campaign would be short-lived, a one-off. They weren't going to invest in infrastructure and becoming invisible because in a few days this campaign would be gone. It was enough for them to hide in plain sight."
Step 4: Search Relevant Targets for Propagation
Sign up for CIO Asia eNewsletters.