Jump to content

Target hackers may have exploited backdoor in widely used server software

ShyWriter

By ShyWriter
in General Chat

 Share

Recommended Posts

ShyWriter

ShyWriter

Posted
Posted

.
Target hackers may have exploited backdoor in widely used server software

 KrebsonSecurity digs in to point-of-sale malware infecting retailer's network.

by Dan Goodin - Jan 29 2014, 4:19pm EST
 

target-store.jpg
 

Wikipedia


Widely used management software running on Target's internal network may have given an important leg-up to attackers who compromised 40 million payment cards belonging to people who recently shopped at the retail giant, according to an article published Wednesday by KrebsonSecurity.
 
As journalist Brian Krebs reported two weeks ago, malware that infected Target's point-of-sale terminals used the account name "Best1_user" and the password "BackupU$r" to log in to a control server inside the Target network. The malware used the privileged insider access to temporarily stash payment card data siphoned out of the terminals used in checkout lines so it could then periodically be downloaded to a different service for permanent storage. In Wednesday's post, Krebs filled in some intriguing new details that suggest a poorly secured feature inside a widely used server management program may have played a role. Krebs explained:
 

That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas based BMC Software — includes administrator-level user account called “Best1_user.”
 
This knowledge base article (PDF) published by BMC explains the Best1_user account is used by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine, customers shouldn’t concern themselves with this account because “it is not a member of any group (not even the ‘users’ group) and therefore can’t be used to login to the system.”

 

“The only privilege that the account is granted is the ability to run as a batch job,” the document states, indicating that it could be used to run programs if invoked from a command prompt.

 

Krebs went on to quote a part of the BMC article that said:
 

Perform Technical Support does not have the password to this account and this password has not been released by Perform Development. Knowing the password to the account should not be important as you cannot log into the machine using this account. The password is known internally and used internally by the Perform agent to assume the identity of the “Best1_user” account.

 

Krebs asked BMC if "BackupU$r" is the password that controls access to the "Best1_user" account. Company representatives have yet to provide an answer.
 
Krebs also cited a report that Dell SecureWorks privately distributed to clients earlier this week. "The Best1_user account appears to be associated with the Performance Assurance component of BMC's Software's Patrol product," Dell SecureWorks researchers wrote. "According to BMC's documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network."
 
Krebs also repeated what Ars noted two weeks ago—that there's a compelling case to be made that, just like the co-conspirators of now-convicted Albert Gonzalez, the people who hacked Target may have first penetrated the network by mounting a SQL injection attack on Target's website. Wednesday's report from Krebs has many more details, including a recent dump of more than 2 million compromised payment cards, all of them used at Target between November 27 and December 15.
 
SOURCE: http://arstechnica.com/security/2014/01/target-hackers-may-have-exploited-backdoor-in-widely-used-server-software/
 
/Steve

Link to post
Share on other sites
ShyWriter

ShyWriter

Posted
  • Author
Posted

Wow... I can't believe as big as Target is that they don't have at least one or more network administrators that would have balked at installing an account like that.

 

Probably have a couple looking for new jobs right now.. How'd you like to be one of those guys asking for a letter of recommendation? *evil-grin*

Link to post
Share on other sites
John L. Galt

John L. Galt

Posted
Posted

Publicly traded companies will continue to fall for this kind of thing until they begin to realize that these sorts of intrusions will compromise their overall profits.  As long as they are looking at $$$ and bottom lines instead of security for the services they provide online as well as in their brick-and-mortar stores, you an guarantee that these problems will continue.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.