Target Breach: HVAC Contractor Systems Investigated

  /     /     /  
Publicated : 22/11/2024   Category : security


Target Breach: HVAC Contractor Systems Investigated


Hackers may have used access credentials stolen from refrigeration and HVAC system contractor Fazio Mechanical Services to gain remote access to Targets network.



20 Great Ideas To Steal (Click image for larger view.)
Did the attackers behind the Target breach hack their way in using access credentials stolen from the retailers environmental systems contractor?
Investigators from the Secret Service, which is leading the governments investigation into the Target breach, recently visited the offices of Fazio Mechanical Services, a refrigeration and HVAC (heating, ventilation, and air conditioning) systems provider based in Sharpsburg, Penn., security journalist
Brian Krebs first reported
Wednesday. Officials at Fazio reportedly confirmed -- but otherwise declined to comment on -- the Secret Service visit.
According to unnamed sources cited by Krebs, investigators now believe that Targets attackers first accessed the retailers network on November 15, 2013, using access credentials that theyd stolen from Fazio Mechanical Services. Theoretically, those access credentials allowed attackers to gain a beachhead inside Targets network, and from there
access and infect
other Target systems, such as payment processing and point-of-sale (POS) checkout systems.
{image 1}
As of Thursday,
Fazios website
was temporarily inaccessible, due to the site owner reaching his/her bandwidth limit, an error message read. But according to a cached version of the website, the firm serves as a refrigeration and HVAC contractor, and was also responsible for renovation and new refrigeration systems at Target stores in Hilliard, Ohio, and Columbia, Md., and for similar projects at a variety of other facilities, including various Shop n Save, Trader Joes, and Whole Foods stores.
Why might Fazio Mechanical Services have had access to Targets network? The answer is because Target -- like any other organization that manages a relatively modern store, factory, or office building -- likely relies on refrigeration and HVAC systems that can be remotely managed by a third party. These contractors monitor and adjust environmental controls. In supermarkets, they also keep a close watch on refrigeration systems.
[Data breaches are taking place is just about every industry. Read
Texas Hospital Discloses Huge Breach
.]
HVACs are IP-addressable appliances now, which means they have network access and logins, Dwayne Melancon, CTO of Tripwire, said in an emailed statement. Accordingly, it wouldnt be unusual for contractors to have an HVAC login, to be able to remotely manage settings, or troubleshoot related device or network problems.
Questions relating to the Target hack will no doubt now center on the security processes in place at Fazio, as well as the controls in place at Target, which -- per
Payment Card Industry
Data Security Standards (PCI-DSS) regulations -- is liable for any of its third-party contractors security shortcomings. Notably,
PCI requires that merchants
incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.
One challenge when granting remote access to a third party, however, is that multiple employees may have access to those login credentials. Technology vendors arent your typical remote users, said Jeff Swearingen, CEO of SecureLink, which sells remote-access security software, in an emailed statement. One vendor may have thousands of technicians that require access on a revolving basis. Login credentials issued to Todd on Tuesday may be used by Wendy on Wednesday, and so on.
Which raises questions: Did Target secure Fazios access to its network using two-factor authentication? What level of network access did Target grant to Fazio, and was Target actively monitoring that access? Finally, were Targets HVAC appliances located on an isolated network segment that should have prevented attackers from accessing other network-connected systems? Asked those questions via email Thursday, Target spokesperson Molly Snyder responded: Because this is a very active and ongoing investigation, I dont have any additional details at this time.
While the exact details of the attack have yet to be disclosed, the results are well known:
Hackers stole 40 million credit and debit cards
, as well as personal information on 70 million Target customers.
Target initially said that attackers stole that data between November 27 and December 15, when the discount retailer discovered the malware infection. But this week, Target chief financial officer John Mulligan said in a Senate Judiciary Committee hearing that the malware persisted undetected on 25 more checkout systems until December 18, resulting in the compromise of less than 150 more credit card numbers.
The news that Fazio Mechanical Services is now being eyed by investigators comes after Target disclosed last week that its breach involved stolen third-party vendor credentials. At the time, some reports
focused on BMC Software
as being the unnamed third party in question.
But BMC Software, which sells BladeLogic and other types of software, has vigorously denied that charge. In a statement issued last week, BMC noted that two supposed clues from the Target breach seen by security researchers -- a file named bladelogic.exe that tied to the
POS malware
used, as well as attackers use of a password supposedly mentioned in official BMC documentation -- had nothing to do with BMC.
BMC has confirmed that the password mentioned in the press is not a BMC-generated password, BMC Software said in a statement. In addition, it also cited a McAfee study, which reported that the POS malwares reference to bladelogic was only a method of obfuscation. In other words, the developers behind the malware appear to have disguised their attack code and related processes with names which, upon casual inspection, would look innocuous.
At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack, said BMC.
Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the
The IPS Makeover
issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Target Breach: HVAC Contractor Systems Investigated