How Target’s Point-of-Sale System May Have Been Hacked
Target has not revealed much regarding how their massive data breach occurred. To date they have disclosed the breach included 40 million credit cards and 70 million personal records. Target has only stated that the point-of-sale systems were compromised by malware.
The question we are all asking is how is it that all the point-of-sale systems across all Target stores in the United States were compromised at the same time?
Target’s IT Infrastructure Revealed
The answer I believe lies partially in Target’s recently updated architecture. Over the past several years Target conducted a major refresh to their entire IT infrastructure. The new structure relies heavily on virtualization with a “two servers per store” model.
On a per store basis these two servers leverage virtualization to run a custom point-of-sale solution that manages up to 30 registers, along with applications to manage inventory, stock replenishment, pharmacy data (if they have a one), infrastructure as well as databases.
The 1,700+ retail stores for the most part function as autonomous units with their own control room, except for centralized authentication, domain name resolution and endpoint monitoring services which all of the stores connect to at a central hub.
Target runs most of their systems on Microsoft (except for the pharmacy app which runs on Linux in a VM). In each store Microsoft System Center provides the distribution point for application updates and security patches to 170+ devices per store including the point-of-sale register systems.
Each store does not have its own IT staff, instead Target relies on a third party IT services provider to perform maintenance at each store. The patches from Microsoft System Center are automatically deployed late at night and the point-of-sale systems rebooted before the stores open, so as to not disrupt business during the day.
I believe that somehow the central hub at Target was compromised and that point-of-sale malware was deployed to all of the stores’ update/patching servers. From here all of the point-of-sale devices would update to the same compromised code that was deployed.
At that stage the data could be exfiltrated out to another server directly from the device, or an internally compromised server at the main hub and exfiltrated out of the network.
Just a few weeks before the Target breach, several sophisticated active campaigns were discovered by Arbor Networks using point-of-sale malware. These campaigns used different versions of PoS malware called Dexter (PDF), the researchers even mentioned that the data they were seeing looked like “a test of some sort”.
After the breach we then also see a notification from CERT regarding point-of-sale malware and we are now hearing that Neiman Marcus may have been hit by a similar attack along with other retailers.