Home Depot: Someone's WEAK-ASS password SECURITY led to breach

It wasn't me, says mega-retailer


Hackers gained access to Home Depot's network via a third-party vendor system, according to preliminary results of an investigation into the September mega-breach.

Cybercrooks used access to the US retail giants' network gained via ineffective password security at an unnamed third party vendor's system to run a stepping-stone attack that ultimately allowed them to achieve their objective of planting information-stealing malware on sales terminals, according to a statement by Home Depot on the investigation.

Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network. These stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the US and Canada.

Following the discovery of the breach, Home Depot acted quickly to block the hackers' method of entry and purge their malware from its systems but by then the damage had already been done.

Third parties were also to blame one way or another for third parties for other high-profile breaches against retailer Target and bank JPMorgan. Target was broken into via the firm's HVAC vendor while the JPMorgan happened via a third party website.

Chris Wysopal, CTO of application security company Veracode, commented: "It is clear that the theft of third party vendor credentials is a big risk for enterprises after seeing this attack vector used in recent major breaches. Enterprises should adopt 2 factor authentication for vendors who require access to their corporate networks and applications."

As previously reported earlier today, Home Depot also admitted on Thursday that hackers has swiped 53 million email addresses during the September mega-breach earlier this year that also led to the theft of data from 56 million credit/debit cards.

Home Depot is in the process of advising affected customers. In the meantime, shoppers are advised to be on their guard against the possibility of phishing fraudsters that use the stolen information to craft more convincing scams.

Trey Ford, global security strategist at Rapid7, the developers of Metaspolit, said that the hack offered lessons that are applicable beyond the retail sector.

"So Home Depot confirmed several things the rest of us should remain aware of," Ford said. "Attackers were inside their organisation for five months before detection. The attackers entered with stolen credentials, they used a vendor’s username and password to log into Home Depot’s network.

"Let’s be clear: this is not hacking, this is routine activity that looks like normal behaviour.

"Once inside, the attackers picked up elevated rights to deploy software to point of sale systems, just like a systems administrator would — except they deployed specialized malware to do their dirty work," he concluded. ®


Other stories you might like

  • Yet again, Cream Finance skimmed by crooks: $130m in crypto assets stolen

    Third time's the unlucky charm for loan outfit

    Decentralized finance biz Cream Finance became further decentralized on Wednesday with the theft of $130m worth of crypto assets from its Ethereum lending protocol.

    Cream (cream.finance and not creamfinance.com) reported the loss via Twitter, the third such incident for the loan platform this year.

    "Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC," the Taiwan-based biz said. "The attacker removed a total of ~$130m USD worth of tokens from these markets, using this address. No other markets were impacted."

    Continue reading
  • OpenID-based security features added to GitHub Actions as usage doubles

    Single-use tokens and reusable workflows explained at Universe event

    GitHub Universe GitHub Actions have new security based on OpenID, along with the ability to create reusable workflows, while usage has nearly doubled year on year, according to presentations at the Universe event.

    The Actions service was previewed three years ago at Universe 2018, and made generally available a year later. It was a huge feature, building automation into the GitHub platform for the first time (though rival GitLab already offered DevOps automation).

    It require compute resources, called runners, which can be GitHub-hosted or self-hosted. Actions are commands that execute on runners. Jobs are a sequence of steps that can be Actions or shell commands. Workflows are a set of jobs which can run in parallel or sequentially, with dependencies. For example, that deployment cannot take place unless build and test is successful. Actions make it relatively easy to set up continuous integration or continuous delivery, particularly since they are cloud-hosted and even a free plan offers 2,000 automation minutes per month, and more than that for public repositories.

    Continue reading
  • REvil gang member identified living luxury lifestyle in Russia, says German media

    Die Zeit: He's got a Beemer, a Bitcoin watch and a swimming pool

    German news outlets claim to have identified a member of the infamous REvil ransomware gang – who reportedly lives the life of Riley off his ill-gotten gains.

    The gang member, nicknamed Nikolay K by Die Zeit newspaper and the Bayerische Rundfunk radio station, reportedly owns a €70,000 watch with a Bitcoin address engraved on its face and rents yachts for €1,300 a day whenever he goes on holiday.

    "He seems to prefer T-shirts from Gucci, luxurious BMW sportscars and large sunglasses," reported Die Zeit, which partly identified him through social media videos posted by his wife.

    Continue reading

Biting the hand that feeds IT © 1998–2021