At this point, Be'ery says, the attackers had to slow down and do some reconnaissance. They had the capability to run arbitrary OS commands, but proceeding further would require intelligence on the layout of Target's internal network — they needed to find the servers that held customer information and (they hoped) credit card data.
The vector was Target's Active Directory, which contains the data on all members of the Domain: users, computers and services. They were able to query Active Directory with internal Windows tools using the standard LDAP protocol. Aorato believes the attackers simply retrieved all services that contained the string "MSSQLSvc" and then inferred the purpose of each service by looking at the name of the server (e.g., MSSQLvc/billingServer). This is likely also the process the attackers would later use to find PoS-related machines, according to Aorato.
With the names of their targets, Aorato says the attackers then obtained their IP addresses by querying the DNS server.
Step 5: Steal Access Token from Domain Admins
By this point, Be'ery says the attackers had identified their targets, but they needed access privileges to affect them — preferably Domain Admin privileges.
Based on information given to journalist Brian Krebs by a former member of Target's security team, as well as recommendations made by Visa in its report on the breach, Aorato believes the attackers used a well-known attack technique called "Pass-the-Hash" to gain access to an NT hash token that would allow them to impersonate the Active Directory administrator — at least until the actual administrator changed his or her password.
As further evidence of the use of this technique, Aorato points to the use of tools, including penetration test tools, whose purpose is to logon sessions and NTLM credentials from memory, extract domain accounts NT/LM hashes and history and dump password hashes from memory.
Step 6: Create a New Domain Admin Account Using the Stolen Token
The previous step would have allowed the attackers to masquerade as a Domain Admin, but would have become invalid if the victim changed their password, or when trying to access some services (like Remote Desktop) which require the explicit use of a password. The next step, then, was to create a new Domain Admin account.
The attackers were able to use their stolen privileges to create a new account and add it to the Domain Admins group, giving the account the privileges the attackers required while also giving the attackers control of the password.
This, Be'ery says, is another example of the attackers hiding in plain sight. The new username was "best1_user," the same username used by BMC's Bladelogic Server Automation product.
"This is a highly abnormal pattern," Be'ery says, noting that the simple step of monitoring the users list and flagging new additions for sensitive accounts like administrator accounts could go a long way toward stopping attackers in their tracks. "You have to monitor access patterns."
Sign up for CIO Asia eNewsletters.