As data dumps of cards stolen in the Target breach continue to be sold on underground cybercrime forums, and the stolen information is being used to perform unauthorised payments, US Attorney General Eric Holder has stated the Department of Justice is “committed to working to find not only the perpetrators of these sorts of data breaches – but also any individuals and groups who exploit that data via credit card fraud.”
The investigation of the Target breach is still ongoing, and the company has understandably tight-lipped about the details of the attack, but they shared that the hackers have been able to enter the company’s system by leveraging credentials stolen from a vendor.
Naturally, they haven’t mentioned the name of the vendor in question, and they didn’t say for which portal the credentials were for, but it’s probably not a coincidence that Target limited access to the suppliers’ database (Info Retriever) and their human resources website (eHR) last week.
In the meantime, Brian Krebs has been doing some sleuthing and has been patching together clues, and believes that the attackers probably discovered that Target used a particular piece of software that had an administrator-level user account with a default password know to them, and misused it to set up a control server within Target’s internal network so that the stolen card data could be collected in one place before getting exfiltrated.
He reports that the Dell SecureWorks’ Counter Threat Unit has also discovered that one component of the malware installed itself as a service called “BladeLogic.” The name was obviously chosen to mimic the name of an automation software created by BMC, the same company that sells the IT management software suite mentioned in the paragraph above.
While BMC has declined to say whether Target uses its software, a trusted source confirmed to Krebs that many US retailers do.