Equifax's Colossal Error: Not Patching Apache Struts FlawConfirmed: Hackers Behind Mega-Breach Exploited Struts Flaw; Patch Was Available
Equifax made an error that led to one of the largest and most sensitive data breaches of all time, and the mistake was elementary: The credit bureau failed to patch a vulnerability in Apache Struts - a web application development framework - in a timely manner.
See Also: Dynamic Detection for Dynamic Threats
The company updated its breach notification on Wednesday, confirming security watchers' speculations that Struts was involved in the breach, which had been based both on Equifax's infrastructure as well as the timing of vulnerabilities in - and patches for - Struts that have come to light this year (see Is Unpatched Apache Struts Flaw to Blame for Equifax Hack?).
To understand the full scope of the attack and breach, Equifax retained a digital forensics investigation firm - reported by ZDNet to be FireEye's Mandiant unit - and the investigation remains ongoing.
"We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise," the company says in a statement on its website.
While the attack vector is known, Equifax has yet to discuss who may have hacked it. Of course, it may never know.
But Equifax says the unidentified hackers had access to the personal details of 143 million U.S. consumers, as well as an unspecified number of British and Canadian consumers. Names, addresses, Social Security numbers and in some cases, driver's license numbers, are at risk. The breach also exposed credit card numbers for 209,000 U.S. consumers and credit dispute documentation for 182,000 people (see Equifax: Breach Exposed Data of 143 Million US Consumers).
Patch Was Available
Equifax's disclosure is likely to increase the pressure now facing the company, which faces Congressional hearings, probes by at least 40 states and dozens of class-action lawsuits (see Equifax Faces Mounting Anger, $70 Billion Lawsuit).
The Federal Trade Commission, which previously refused to comment on whether or not it has launched an investigation of any particular organization, now tells Information Security Media Group that it has made an exception in Equifax's case. "The FTC typically does not comment on ongoing investigations," says Peter Kaplan, the FTC's acting director of public affairs. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."
Security experts say that prompt patching of enterprise applications is a must-do practice, given the ease with which attackers can find and automatically exploit known flaws. Equifax has yet to explain why it delayed patching such critical software.
The exploited vulnerability, CVE-2017-5638, became public on March 6, when Apache released an updated version of Struts that fixed the flaw. Within a day, security analysts saw attacks against websites that were designed to exploit the flaw.
Equifax, meanwhile, says its breach began in mid-May but wasn't discovered until July 29.
Apache Struts 2, which uses Java Enterprise Edition, is widely used by many organizations, including airlines, car rental companies, e-commerce sites, social networks and government agencies.
The now-patched Struts flaw is among the most dangerous types of vulnerabilities because it allows hackers to remotely exploit the application and access the information that it stores. Given the severity of the flaw, the information security community had warned all users of the open source Apache Struts project software about the danger and severity posed by CVE-2017-5638 and urged them to upgrade to a patched version immediately.
Kevin Beaumont, a U.K.-based security researcher, writes on Wednesday that he repeatedly tweeted about the flaw when it was disclosed, warning of its severity.
"It doesn't get more serious - with a single web request, people can remotely run code on the web server and access files, potentially (and probably) bypassing all security controls," Beaumont writes in a blog post.
If you run Apache Jakarta Struts, there's a public, working remote exploit being used in the wild now. Upgrade ASAP. https://t.co/yG3awqgXJL— Kevin Beaumont (@GossiTheDog) March 8, 2017
Just a few days after the flaw was disclosed, other researchers began spotting websites vulnerable to the same Struts flaw. Beaumont writes that the website Xss.cx, which tracks security issues, found that the one-stop credit report website, annualcreditreport.com, was vulnerable.
The website lets consumers obtain a credit report once a year for free from the big three providers - Experian, Equifax and TransUnion. The website was created in 2003 to comply with new federal credit report disclosure rules.
Three days after Xss.cx published its report publicly, annualcreditreport.com - managed by Montreal-based consultancy CGI Group - still hadn't been fixed. Xss.cx showed how the flaw could be used to steal usernames and passwords for the site.
Beaumont blamed antiquated systems in desperate need of an overhaul - or replacement - for the problems. "The system is old," he writes. "These servers are the gateways to consumer credit report services, which plug into the databases of the big three providers."
After rumors began circulating that a Struts exploit may have enabled the Equifax breach, the Struts Project Management Committee, which oversees the project, quickly responded.
"We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework," wrote René Gielen, vice president of Apache Struts, in a statement issued Saturday.
The Struts team "puts enormous efforts in securing and hardening the software we produce and fixing problems whenever they come to our attention," he writes.
But he stressed that users of any type of software - open source or not - must track which versions of frameworks or software libraries they are using in live systems and respond quickly and carefully to all security announcements. His recommendations have obvious relevance to Equifax's failure to fix a flaw for more than two months after a patch was released, despite the flaw being actively exploited via in-the-wild attacks.
"Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons," Gielen writes. "Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years."