Saks, Lord & Taylor Breaches: Privileged Account Compromise Never Goes Out of Style

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Saks Fifth Avenue and Lord & Taylor became the latest victims of cyber attacks that target major retailers and their PoS systems, resulting in the potential compromise of millions of payment cards.

While details of the attack are still emerging, initial reports about the breach and subsequent confirmation from the parent company, Hudson’s Bay Company, provide enough detail to identify potential pathways the attackers took – and assess what this breach means for other retailers to prevent similar attacks.

We’ll continue to analyze details of the attack – but a few major themes jumped out initially:

More than a PoS Breach – This Was a Network Takeover

While the PoS systems may have been the ultimate target, the attackers likely traversed the Hudson’s Bay network to get there. What this means is that the attackers took some level of control and gained persistence within the company’s network.

If the PoS system itself was the attack vector, we would likely hear about more breached retailers than just Saks and Lord & Taylor.

As we’ve seen in previous PoS attacks, privileged accounts are the primary enablers of full network compromise. Attackers typically gain a foothold through phishing attacks, steal credentials from the endpoint and elevate privileges while moving laterally across the network towards the PoS systems.

Once the attacker reaches the PoS, privileged credentials can be used to exfiltrate the payment card data while avoiding detection and setting off security alarms.

Based on initial analysis of available details, Hudson’s Bay provides costly lessons to other retailers about best practices in preventing PoS breaches, including:

Employ EMV Technology – Now

The most effective mitigation technique for this attack already exists – EMV or Chip-and-Pin technology can completely eliminate the risk of card numbers being exposed. From the initial reports, the breached retailers were using outdated magnetic strip readers, which exposed card data (tracks 1 and 2 currently sold in the black markets) in the PoS system memory. While these readers are less secure, they are still very common.

Attackers know this, and have created specific memory scraping malware for this purpose (BlackPoS).

Prevent Network Jumping

Based on patterns from previous breaches, it’s likely the attackers jumped from an employee endpoint to the PoS systems – which could mean there’s a security gap that allowed this hop. Secure retail networks should always be segmented from normal networks. A failure to segment the networks is a failure of basic security best practices.

In this case, the privileged account compromise provided the attackers with network control and easy access to the PoS system.

Even in the case of proper segmentation, attackers can exploit privileged accounts to build a bridge between the networks – but these types of attacks have typically been seen by nation-states targeting critical infrastructure or financial institutions.

What It Means for Other Retailers

While we can’t be sure that the attackers took over the ENTIRE Hudson’s Bay network, we do know that they had to achieve incredibly deep reach into the network to compromise all of the Saks and Lord & Taylor PoS systems.

Deep attacks of this nature often require the company to rebuild the network to remove the attacker and regain trust in the infrastructure.

Preventing these attacks starts with requiring multifactor authentication on all privileged accounts and removing hash residuals to prevent attackers from escalating across the network.

If privileged accounts are being used on vulnerable endpoints, the attack surface will continue to expand, allowing many possible locations for attackers to build a bridge and reach PoS systems. Automating the vaulting, protection and monitoring of those credentials is critical to containing these attacks and keeping the PoS system and associated networks safe.

The post Saks, Lord & Taylor Breaches: Privileged Account Compromise Never Goes Out of Style appeared first on CyberArk.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?