Contractor creds used in Target hack

The massive breach of Target retail stores was achieved using stolen log credentials from a third-party air conditioning contractor, according to a report.

More than 110 million customer payment cards and personal records were stolen from US Target stores as early as November last year in a sophisticated raid targeting point of sale systems.

Hackers deployed what is thought to be the BlackPoS RAM-scraping malware between November 15 and 28 to steal cleartext payment details while in an unencrypted state.

To gain entry into the Target network, hackers used login credentials stolen from Fazio Mechanical Services, which had installed heating, ventilation and air conditioning (HVAC) in Target stores and other retailers, according to KrebsonSecurity. 

Hackers uploaded their malware in a live test in which customer payment details were scraped and shipped to servers in the US and Brazil.

Those same servers were reportedly used as drops for the 70 million credit and debit cards stolen from Target. US law enforcement were attempting to gain access to the servers in Brazil.

Contractors were often given remote access to retail corporate networks in order to monitor energy usage, store temperature and networking issues, KrebsonSecurity reported.

Breaches involving compromised third party organisations are common since partners and contractors are often easier to hack than a targeted well-resourced organisation. Such organisations may provide third parties with excessive access rights under an environment with reduced security controls and monitoring.

That may go some way to explain why Target executives admitted they were unaware of the breach and that their systems failed to detect the intrusion.

Melbourne-based IPSEC director of operations Ben Robson said organisations need to increase scrutiny of third parties with access to corporate networks.

"In this case they needed proper logging, audit trail and packet capture," Robson said.

"Organisations need to ... let contractors know in no uncertain terms that they are monitoring them."

Tools such as intrusion prevention systems can help flag suspicious third-party behaviour for further forensics analysis. Packet capture and logging should be exported to a server that third parties cannot access.

Robson advised physical oversight should be maintained where possible because contractors could easily and innocently set up unauthorised devices to access a corporate network which could serve as a backdoor for attackers.

In May last year, blueprints for the new headquarters of the Australian Security and Intelligence Organisation (ASIO) were stolen by alleged Chinese hackers who raided a contractor working on the site.

Target said this week it would accelerate plans for a $100 million upgrade to deploy chip-and-pin enabled payment cards and readers which were set for mandatory use in Australia this year.