Target attackers misused network credentials of HVAC company

Sources close to the Target breach investigation have named the third-party vendor whose network credentials the attackers used to gain access to Target’s systems.

The company in question is Fazio Mechanical Services, a refrigeration and HVAC (heating, ventilation, and air conditioning) systems provider based in Sharpsburg, Pennsylvania.

“It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store,” reports Brian Krebs.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source explained.

The CEO of the company in question has not commented on the matter, except by saying that they have been visited by the US Secret Service in connection to the investigation.

Other details revealed about the breach is that attackers have started uploading the PoS malware on November 15, and by the end of that month, the majority of Target’s PoS devices were compromised.

The data slurping began on November 27, and lasted until December 15, and the stolen information was exfiltrated via FTP to a number of servers located in Russia, US, Brazil, and other countries.

In light of these new revelations, the question is now what fines Target will have to pay because it failed to implement protection rules mandated by the current Payment Card Industry Data Security Standard.

Don't miss