New Clues in the Target Breach

[InfoSec News <alerts () infosecnews org>]

http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/

By Brian Krebs
krebsonsecurity.com
Jan 29, 2014

An examination of the malware used in the Target breach suggests that the 
attackers may have had help from a poorly secured feature built into a 
widely-used IT management software product that was running on the 
retailer’s internal network.

As I noted in Jan. 15′s story – A First Look at the Target Intrusion, 
Malware – the attackers were able to infect Target’s point-of-sale 
registers with a malware strain that stole credit and debit card data. The 
intruders also set up a control server within Target’s internal network 
that served as a central repository for data hoovered up from all of the 
infected registers.

That analysis looked at a malware component used in Target breach that was 
uploaded to Symantec’s ThreatExpert scanning service on Dec. 18 but which 
was later deleted (a local PDF copy of it is here). The ThreatExpert 
writeup suggests that the malware was responsible for moving stolen data 
from the compromised cash registers to that shared central repository, 
which had the internal address of 10.116.240.31. The “ttcopscli3acs” bit 
is the Windows domain name used on Target’s network. The user account 
“Best1_user” and password “BackupU$r” were used to log in to the shared 
drive (indicated by the “S:” under the “Resource Type” heading in the 
image above.

That “Best1_user” account name seems an odd one for the attackers to have 
picked at random, but there is a better explanation: That username is the 
same one that gets installed with an IT management software suite called 
Performance Assurance for Microsoft Servers. This product, according to 
its maker — Houston, Texas base BMC Software — includes 
administrator-level user account called “Best1_user.”

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/