Target Breach Involved Two-Stage Cyber-Attack: Security Researchers
Security firms have posted details of the malware used in the Target breach and how the attackers communicated the data outside the company.New details have emerged in the massive compromise of retail giant Target's systems that resulted in the leak of tens of millions of credit- and debit-card accounts. When Target acknowledged a breach of its systems on Dec. 19, the company released few details of the malware and tactics used in the attack. Over the last week, however, security researchers have discovered the likely malware used by attackers as well as the method by which the data thieves retrieved the stolen information from Target's network. On Jan. 16, security firm Seculert revealed that it had found an Internet server that the attacker had used as a communications hub to retrieve information from a drop site within Target's own network. The attackers apparently collected the stolen data on the compromised Target server and then used a compromised Web site to grab the data starting Dec. 2, Seculert stated in the analysis. "They were able to infiltrate (Target's) network and then setup several machines as part of the data exfiltration," Avi Raff, chief technology officer for Seculert, told eWEEK in an email interview. "As this is a two stage attack—steal PoS data from a machine not connected to the Internet, then move it to another machine which can send the data to an FTP (server)—it does seem to be sophisticated."
Starting on Dec. 2, the malware began transmitting the cache of stolen data outside the network to the collection server. Using a virtual private server in Russia, the attackers then downloaded the information. The stolen data totaled 11GBs, according to Seculert.