Target Data Breach

Overview

In 2013, during the peak holiday shopping season, Target, one of the largest retail chains in the United States, fell victim to a massive cyber attack. Hackers gained unauthorized access to Target's internal systems, compromising detailed information for approximately 40 million credit and debit card accounts and personal data for about 70 million customers. Despite Target's substantial investment in cybersecurity, including sophisticated malware detection software and a large security team, the breach occurred due to a phishing attack on a third-party vendor, Fazio Mechanical. The hackers exploited this breach to steal login credentials for Target's system and deploy malware, resulting in catastrophic financial losses and significant damage to Target's reputation.

Vulnerability Details

The vulnerability exploited in the Target breach stemmed from a phishing attack on a third-party vendor, Fazio Mechanical. An employee of Fazio fell for a fraudulent email containing a malicious attachment, which enabled the hackers to deploy the Citadel Trojan horseā€”a variant of the well-known ZeuS malware. Despite Target's security measures, including the use of sophisticated malware detection software, the malware remained undetected on Fazio's systems. Subsequently, the hackers obtained login credentials for Target's network and deployed additional malware, which went unnoticed even after multiple alerts were issued by the malware detection system. This failure to respond to security alerts and disable automated malware deletion features allowed the hackers to exfiltrate sensitive data over a two-week period, leading to substantial financial losses and reputational damage for Target.

Lab Terminal

In this terminal activity, we'll simulate a stage of the Target breach where attackers already have access to the internal network using stolen HVAC vendor credentials. From this foothold, attackers explored accessible systems and searched for additional credentials that could allow them to reach sensitive payment infrastructure. You will investigate the system, identify insecurely stored credentials, and determine whether the vendor account can be used to access payment processing systems.

Instructions:

  • Use the help command to explore available commands.
  • Check which user account you are currently logged in as whoami.
  • Explore the system to identify accessible directories ls /mnt/shared and ls /mnt/shared/pos_support.
  • Search configuration files for stored credentials cat system_config.conf.
  • Use discovered credentials to access another internal system ssh posadmin@192.168.1.60 .
  • Locate a file containing sensitive payment information ls /opt/pos/data and head /opt/pos/data/transactions.csv.

Resources

Learn more about cybersecurity investigation techniques and tools:

Review Questions

How was initial access into Target systems gained by the attackers?
How did the attackers escalate their privileges once inside Target networks?
What is a C2 server?
What is NetCat?
How was Netcat utilized in the Target hack?
What are some actions that could've been taken to prevent the initial infection?
What is the hidden flag after exploiting the vulnerable machine?