The big-box giant saw 110 million in-store customers compromised by a widespread point-of-sale (PoS) hack during the busy holiday shopping season, with credit card info and other personal details lifted by the BlackPOS malware that was somehow uploaded from a central server. Target last week confirmed that the server itself was compromised by a third party using stolen credentials. Now, sources have said that those credentials were likely taken from Fazio Mechanical Services, a provider of refrigeration and HVAC systems for retailers and other businesses.
People familiar with the investigation told security researcher Brian Krebs, who continues to find Deep Throat-worthy sources to spill details on the breach, that the US Secret Service paid Fazio a visit and that the investigation overall is “very active.” The perpetrators of the breach are suspected to be of eastern European and Russian origin, and they were able to upload the malware (after a limited trial run) to “a majority” of Target’s PoS devices, going on to collect information on about 40 million debit and credit card accounts between Nov. 27 and Dec. 15, 2013.
The information was then sent to several drop servers for housing and processing, including locations inside the US (Miami specifically), Brazil and other places.
“Investigators say the United States is currently requesting mutual legal assistance from Brazilian authorities to gain access to the Target data on the server there,” Krebs reported.
But what of the HVAC company? Apparently, it is not uncommon for large retail operations to have an environmental team on contract. These companies are outsiders that essentially look for operational efficiencies, monitoring energy consumption and in-store temperatures to save on costs and bolster shopper satisfaction.
“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source told Krebs.
The question, however, if Fazio turns out to be the weak link, is why Target would choose to give its employees unfettered access to the company's central servers – access that was not cordoned off from Target’s payment system.
“Target chose to allow a third-party access to its network, but failed to properly secure that access," said Jody Brazil, CTO and founder at FireMon, in a note to Infosecurity. "Even if Target had a valid reason for giving the third party access, the retailer should have segmented its network to ensure that they had no access to its payment systems."
Several mature processes and practices currently exist for securing third-party access to enterprise networks. Even the Payment Card Industry Data Security Standard (PCI DSS), which companies like Target are required to follow, specifies network segmentation as a way to protect sensitive cardholder data.
"It was Target’s responsibility to ensure that those practices were followed, but the fact that attackers were apparently able to leverage third-party access to reach Target’s payment systems suggests those practices were improperly implemented," Brazil said. "The only really sophisticated component of the attack appears to have been the malware used to intercept and steal payment card data from Target’s PoS systems. But the attackers would have been unable to install the malware if Target had employed proper network segmentation practices in the first place.”