Hackers gained access to Home Depot's network via a third-party vendor system, according to preliminary results of an investigation into the September mega-breach.
Cybercrooks used access to the US retail giants' network gained via ineffective password security at an unnamed third party vendor's system to run a stepping-stone attack that ultimately allowed them to achieve their objective of planting information-stealing malware on sales terminals, according to a statement by Home Depot on the investigation.
Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network. These stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the US and Canada.
Following the discovery of the breach, Home Depot acted quickly to block the hackers' method of entry and purge their malware from its systems but by then the damage had already been done.
Third parties were also to blame one way or another for third parties for other high-profile breaches against retailer Target and bank JPMorgan. Target was broken into via the firm's HVAC vendor while the JPMorgan happened via a third party website.
Chris Wysopal, CTO of application security company Veracode, commented: "It is clear that the theft of third party vendor credentials is a big risk for enterprises after seeing this attack vector used in recent major breaches. Enterprises should adopt 2 factor authentication for vendors who require access to their corporate networks and applications."
As previously reported earlier today, Home Depot also admitted on Thursday that hackers has swiped 53 million email addresses during the September mega-breach earlier this year that also led to the theft of data from 56 million credit/debit cards.
Home Depot is in the process of advising affected customers. In the meantime, shoppers are advised to be on their guard against the possibility of phishing fraudsters that use the stolen information to craft more convincing scams.
Trey Ford, global security strategist at Rapid7, the developers of Metaspolit, said that the hack offered lessons that are applicable beyond the retail sector.
"So Home Depot confirmed several things the rest of us should remain aware of," Ford said. "Attackers were inside their organisation for five months before detection. The attackers entered with stolen credentials, they used a vendor’s username and password to log into Home Depot’s network.
"Let’s be clear: this is not hacking, this is routine activity that looks like normal behaviour.
"Once inside, the attackers picked up elevated rights to deploy software to point of sale systems, just like a systems administrator would — except they deployed specialized malware to do their dirty work," he concluded. ®