Is Unpatched Apache Struts Flaw to Blame for Equifax Hack?Credit Bureau Has Yet to Describe Exploited 'Website Application Vulnerability'
Update (September 14): Equifax has confirmed that attackers breached its systems by exploiting a flaw in Apache Struts, CVE-2017-5638, that Apache fixed via a March software update. At the time of Equifax's mid-May breach, however, the credit bureau had not yet upgraded to the newer, patched version.
Equifax has yet to divulge many facts about the massive data breach it suffered, including who hacked the data bureau, how many individuals - beyond 143 million U.S. adults - were impacted, and how attackers managed to steal so much data for so long, without being detected.
What the credit bureau did say Thursday when it announced the data breach was that the incident began in mid-May and was discovered July 29, and that hackers "exploited a U.S. website application vulnerability to gain access to certain files."
The information about 143 million individuals exposed includes names, Social Security numbers, birth dates, addresses and in some cases, driver's license numbers. Equifax also says the breach exposed credit card numbers for 209,000 U.S. consumers.
Following that announcement, many security experts have questioned what application vulnerability the attacker or attackers might have exploited. Their thinking: If one of the country's biggest credit-check bureaus could have been hacked, then numerous other organizations are also likely at risk.
On Thursday, Baird Equity Research, part of the financial services firm Baird, released a report on Equifax - NYSE stock symbol: EFX - saying that attackers exploited a flaw in the Apache Struts computing platform.
"Our understanding is that data entered - and retained - through consumer portals/interactions - consumers inquiring about their credit reports, disputes, etc. - and data around it was breached via the Apache Struts flaw," according to a copy of Baird's report seen by Information Security Media Group.
It adds: "Key EFX databases are not known to have been breached as part of the incident, including the consumer credit file, TWN [The Work Number], NCTUE [National Consumer Telecom & Utilities Exchange], IXI [consumer wealth and asset data], or its commercial credit database.
The report does not cite a source for those observations. And Equifax has not responded to ISMG's requests for additional information on the breach.
Struts is Widely Used
But the potential exploitation of Struts is concerning because numerous sites run open source Apache Struts 2 - a widely used computing platform that runs Java Enterprise Edition. That includes sites for airlines, car rental firms and e-commerce shops as well as not-for-profit organizations, social networks and government agencies.
Apache continues to patch Struts to fix new flaws that come to light. In March, for example, Apache warned that attackers were exploiting a zero-day flaw in older versions of Struts to compromise servers and install malware. It urged users to update immediately to the latest versions, which fix the flaw (see Apache Struts 2 Under Zero-Day Attack, Update Now).
Many internet-connected databases have not been well secured, enabling attackers to launch SQL injection attacks that allow them to remotely dump the databases. Indeed, the Open Web Application Security Project, or OWASP, this year once again rated injection attacks as one of the top 10 threats facing web applications.
But the Baird report strongly suggests that Struts was exploited. Accordingly, all Struts users should review their implementations to ensure they are using the latest versions of the software, security experts say.
Cybersecurity vendor Imperva says there have been six Struts flaws of varying severity patched so far this year.
Vis-à-vis the Equifax breach, Jeff Williams, CTO of web application security firm Contrast Security, says in a blog post: "In my mind, there are two Struts vulnerabilities that jump out as possibilities" - the aforementioned CVE-2017-5638, as well as CVE-2017-9805, which was made public on Sept. 5.
"The first vulnerability from March [CVE-2017-5638] seems much more likely because it's easier to exploit and much better known," he says. "It also fits the timeline better, since it was released months before Equifax was attacked in July."
Williams, who previously chaired OWASP for eight years, notes that his firm has also been seeing attacks that target CVE-2017-5638 "for many months from all over the world, including China, Hong Kong, and India."
While it's possible that attackers were exploiting the more recently patched CVE-2017-9805, that "would mean that the attackers had this vulnerability before it was publicly released," Williams says. While that's possible, and was seen with the earlier of the two flaws, zero-day attacks remain relatively rare.
"Yesterday, several of our analysts reviewed all of the CVEs for the last year relating to Apache Struts. As others have stated, its unlikely it was a zero-day vulnerability," Michael Sabo, vice president of marketing at database security firm DB Networks, told ISMG on Tuesday. "More likely it was an unpatched vulnerability that enabled remote attackers to execute system commands through an HTTP header. It's very possible they could then compromise the application's database credentials. At that point they have all of the privileges on the database that the application would. They essentially could dump the entire database."
Apache Urges Swift Patching
Apache has reacted quickly to suggestions that its Struts software may have been hacked.
"We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework," the Apache Struts Project Management Committee said in a statement issued Saturday.
"At this point in time it is not clear which Struts vulnerability would have been utilized, if any," it adds.
The statement further notes that Apache fixes Struts flaws as rapidly as possible. "We ... want to make clear that the development team puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention," it says. "Even if exploit code is known to us, we try to hold back this information for several weeks to give Struts Framework users as much time as possible to patch their software products before exploits will pop up in the wild."
But users of Struts, Apache says, need to ensure they have processes in place to rapidly deploy new versions of the framework. "Best is to think in terms of hours or a few days, not weeks or months," Apache says. "Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years."
In addition, Apache warns that all software has flaws that could potentially be discovered and exploited by attackers. So it says organizations must ensure they safeguard software such as Struts using additional layers of security and monitor for unusual access patterns to detect potential zero-day attacks.
Some security experts have recommended using web application firewalls or user behavioral analytics tools to block any Struts-targeting exploits. "To protect against Apache Struts flaws, I would recommend network UBA and database UBA to immediately spot anomalies and identify attacks resulting from 0-day vulnerabilities," says Sabo of DB Networks.
"Once an Apache Struts vulnerability is identified and documented, immediately include an appropriate rule in the firewall(s) - this is known as a virtual patch," he adds. "Follow up and patch all instances of Apache Struts software."
Why Won't Equifax Come Clean?
Again, however, the suggestion that attackers committed one of the biggest breaches in history by exploiting Apache Struts software used by Equifax remains unsubstantiated.
So, why hasn't Equifax described what happened?
"In all likelihood, counsel is advising them not to say anything lest they invite litigation and give evidence against their interest," according to information security expert William Hugh Murray. "The FBI is telling them not to say anything that might disclose to targets of investigation what they, the investigators, do and do not know."
Attackers Will Monetize Stolen Data
The impetus for stealing personally identifying information for 143 million U.S. adults, however, is no mystery.
Gartner analyst Avivah Litan says in a blog post that the stolen Equifax data has - or will continue to be - monetized four ways by attackers:
- Sold and resold on the underground;
- Used to update existing, already stolen records about individual consumers that get bought and sold by cybercrime underground data brokers;
- Used to take over existing accounts - "for example bank accounts, brokerage accounts, phone service accounts (a common occurrence these days, for example with bitcoin wallet holders) and retirement accounts";
- Purchased by nation-states to build better dossiers on potential individuals they might try to recruit or blackmail, for intelligence-gathering purposes.
Security firm Trend Micro, which studies underground cybercrime markets, notes that "a data set of this size could be worth $27 million or more in the digital underground."