Saks, Lord & Taylor Breaches: Privileged Account Compromise Never Goes Out of Style
April 5, 2018 | Security and Risk | Lavi Lazarovitz
Saks Fifth Avenue and Lord & Taylor became the latest victims of cyber attacks that target major retailers and their PoS systems, resulting in the potential compromise of millions of payment cards.
While details of the attack are still emerging, initial reports about the breach and subsequent confirmation from the parent company, Hudson’s Bay Company, provide enough detail to identify potential pathways the attackers took – and assess what this breach means for other retailers to prevent similar attacks.
We’ll continue to analyze details of the attack – but a few major themes jumped out initially:
More than a PoS Breach – This Was a Network Takeover
While the PoS systems may have been the ultimate target, the attackers likely traversed the Hudson’s Bay network to get there. What this means is that the attackers took some level of control and gained persistence within the company’s network.
If the PoS system itself was the attack vector, we would likely hear about more breached retailers than just Saks and Lord & Taylor.
As we’ve seen in previous PoS attacks, privileged accounts are the primary enablers of full network compromise. Attackers typically gain a foothold through phishing attacks, steal credentials from the endpoint and elevate privileges while moving laterally across the network towards the PoS systems.
Once the attacker reaches the PoS, privileged credentials can be used to exfiltrate the payment card data while avoiding detection and setting off security alarms.
Based on initial analysis of available details, Hudson’s Bay provides costly lessons to other retailers about best practices in preventing PoS breaches, including:
Employ EMV Technology – Now
The most effective mitigation technique for this attack already exists – EMV or Chip-and-Pin technology can completely eliminate the risk of card numbers being exposed. From the initial reports, the breached retailers were using outdated magnetic strip readers, which exposed card data (tracks 1 and 2 currently sold in the black markets) in the PoS system memory. While these readers are less secure, they are still very common.
Attackers know this, and have created specific memory scraping malware for this purpose (BlackPoS).
Prevent Network Jumping
Based on patterns from previous breaches, it’s likely the attackers jumped from an employee endpoint to the PoS systems – which could mean there’s a security gap that allowed this hop. Secure retail networks should always be segmented from normal networks. A failure to segment the networks is a failure of basic security best practices.
In this case, the privileged account compromise provided the attackers with network control and easy access to the PoS system.
Even in the case of proper segmentation, attackers can exploit privileged accounts to build a bridge between the networks – but these types of attacks have typically been seen by nation-states targeting critical infrastructure or financial institutions.
What It Means for Other Retailers
While we can’t be sure that the attackers took over the ENTIRE Hudson’s Bay network, we do know that they had to achieve incredibly deep reach into the network to compromise all of the Saks and Lord & Taylor PoS systems.
Deep attacks of this nature often require the company to rebuild the network to remove the attacker and regain trust in the infrastructure.
Preventing these attacks starts with requiring multifactor authentication on all privileged accounts and removing hash residuals to prevent attackers from escalating across the network.
If privileged accounts are being used on vulnerable endpoints, the attack surface will continue to expand, allowing many possible locations for attackers to build a bridge and reach PoS systems. Automating the vaulting, protection and monitoring of those credentials is critical to containing these attacks and keeping the PoS system and associated networks safe.