[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] New Clues in the Target Breach
From: InfoSec News <alerts () infosecnews ! org>
Date: 2014-01-30 9:17:14
Message-ID: alpine.DEB.2.02.1401300917000.11524 () infosecnews ! org
[Download RAW message or body]
http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach/
By Brian Krebs
krebsonsecurity.com
Jan 29, 2014
An examination of the malware used in the Target breach suggests that the
attackers may have had help from a poorly secured feature built into a
widely-used IT management software product that was running on the
retailer's internal network.
As I noted in Jan. 15′s story – A First Look at the Target Intrusion,
Malware – the attackers were able to infect Target's point-of-sale
registers with a malware strain that stole credit and debit card data. The
intruders also set up a control server within Target's internal network
that served as a central repository for data hoovered up from all of the
infected registers.
That analysis looked at a malware component used in Target breach that was
uploaded to Symantec's ThreatExpert scanning service on Dec. 18 but which
was later deleted (a local PDF copy of it is here). The ThreatExpert
writeup suggests that the malware was responsible for moving stolen data
from the compromised cash registers to that shared central repository,
which had the internal address of 10.116.240.31. The "ttcopscli3acs" bit
is the Windows domain name used on Target's network. The user account
"Best1_user" and password "BackupU$r" were used to log in to the shared
drive (indicated by the "S:" under the "Resource Type" heading in the
image above.
That "Best1_user" account name seems an odd one for the attackers to have
picked at random, but there is a better explanation: That username is the
same one that gets installed with an IT management software suite called
Performance Assurance for Microsoft Servers. This product, according to
its maker — Houston, Texas base BMC Software — includes
administrator-level user account called "Best1_user."
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic