Spokeswoman Molly Snyder confirmed the detail (and little else) to Reuters. She said the attack method was discovered as part of an ongoing forensic investigation into the data breach, which occurred between Nov. 27 and Dec. 15.
Though detailed investigation into the attack is still on-going, this latest revelation demonstrates the significant risk posed by unsecured, unmonitored third-party access credentials and the importance of securing “privileged user” accounts, according to Paul Ayers, vice president of EMEA at enterprise data security firm Vormetric.
"This seems to be a clear example of how compromised ID credentials can be used by hackers to cause widespread chaos,” Ayers said in an email to Infosecurity. “The user credentials hijacked by the hacker(s) created a covert entry point from which they were able to abuse the access privileges it afforded them in the first instance and then move laterally, undetected across the company network, siphoning data as they went, for a considerable period of time.”
As systems have become more closely interconnected and with increasing amounts of private and confidential data being shared between these networks, insiders that have default administrative rights are weak links in the armor. Privileged accounts with insufficient security is a prime vector for targeted cyber-attacks, leading to theft, misuse and exploitation, and their compromise is becoming a key tactic for criminals.
“As this story tells us, attackers are going after the weaker spots on the network to get a foot in the door, so to speak,” Ayers said. “Indeed, low-level employees or temporary outside contractors are often low hanging fruit for cyber-criminals.”
The best solution is to limit access so that those users who need to handle data can't actually read or edit information within data files, but can still move them around as their job requires. Organizations working with partners need to make stronger demands of them that their data remains secure throughout their infrastructure as a minimum bar for engaging in business.
“This recent announcement from Target confirms that the biggest breaches are due to insider threats, especially with privileged users and administrative access,” said Eric Chiu, president and co-founder of HyTrust, in an email. “The bad guys are now using advanced threats to steal credentials and pose as employees, and once on the network, they look the same as good guys. Access controls, role-based monitoring and data security are critical to securing against these new insider threats, especially in cloud environments that concentrate systems and data.”