news

The Equifax breach: how the hackers may have accomplished it.

Equifax in its disclosure was not particularly forthcoming about how the attackers got into its systems. There's considerable speculation online that the hackers exploited a patchable but unpatched flaw in Equifax's website. The company says it noticed the breach on July 29th, and that it's called in a security company (FireEye's Mandiant unit) to help with remediation.

Early reports indicate that the hackers exploited an Apache Struts vulnerability (Quartz). Which vulnerability may have been exploited remains unclear, and the Apache Foundation has not yet been able confirm this explanation (Markets Insider). 

Industry reaction.

Michael Patterson, CEO of Plixer commented on the importance of recent discoveries of Apache Struts bugs:

“This is a significant finding given that the majority or our largest companies are using Apache Struts. Although, a patch for the vulnerability has since been released, given that many companies don’t stay on top of patches, there still could be plenty of time for malicious code writers to exploit it. Most organizations are aware that there is absolutely no way to prevent being compromised. The best defense for a company is to be very difficult to penetrate and hope that bad actors move onto an easier target. Also, network traffic analytics using NetFlow, IPFIX and other forms of meta data can help unearth abnormal traffic patterns that are often generated by these contagions." 

"The breach appears to be related to a website application vulnerability which could be anything," Viewpost’s Chief Security Officer, Chris Pierson said. "But, this all comes back to sound security development coding practices, active application scanning and testing, and integrating security into the engineering and development processes to make web applications more resilient. Really – it is the back to the basics of mitigating the OWASP Top 10 and SANS Top 20 vulnerabilities in your web application and make security the job of every engineer backed by a robust security and infrastructure team."

Tim Crosby, Senior Security Consultant at Spohn Security Solutions, sees a failure of web application vulnerability testing:

"This is not malicious code that was spread by multiple systems exploiting a common vulnerability like WannaCry or NotPetya even though a patch did exist. This was an organization that failed to do a complete web application vulnerability assessment prior to going live and probably did not implement an adequate access control lists or no access control list. By failing in one or both of those two areas – we all need to scrutinize our credit reports and worry that we will be the victims of identity theft. The criticism is warranted.

"The Web of Trust has now spread to the 'cloud' where this 'vulnerable web application' probably resided – based on mistakes/oversights we have observed many times there is a misconception that once moved to the 'cloud' all the business continuity issues are resolved. Many are: availability, [ease and] speed of recovery, addition of resources (memory, CPU, drive space on demand) but security is complicated. Where was the data replicated to? Where was it backed up to/archived; was that backed up? How do I get positive assurance of data destruction? Who manages access lists to web applications? Whose responsibility is it to verify and maintain those access lists? Who determines if one is necessary?" 

"Web Applications vulnerabilities continue to be a  critical exposure for many large organizations," said Mike Cotton, Vice President of Research and Development at Digital Defense: 

"Attackers have gotten more sophisticated at probing for flaws in the underlying frameworks that many of these applications are built on top of which can lead to widespread security exposures even for organizations with mature security programs and secure coding practices in place. As companies continue to pursue more rapid application development capabilities they need to ensure their security program keeps pace and travels at a similar speed."   

Netsparker CEO Ferruh Mavituna offered these thoughts on the breach:

“The Equifax hack is a perfect example that highlights how businesses can get bitten if web application security is not taken seriously. Researchers identified a cross-site scripting vulnerability on their website back in 2016, yet Equifax never responded to their reports and never fixed it.

"It is quite unlikely that the reported XSS vulnerability was the one that got them in trouble, although there have been cases in the past, like the Apache and Jira hacking incident in which a cross-site scripting vulnerability was used to gain access to protected information.

"Though it is clear that they are not following certain best practices; they are not forcing SSL on all their pages, they have information leakages as highlighted by @notdan on Twitter etc. They wouldn’t have to deal with such a costly mistake if they scanned their website with a web application security scanner, which can pin point such security issues to them within just a few minutes.”

Update, 9.17.17.

Leigh-Anne Galloway, Cyber Security Resilience Officer at Positive Technologies, shared her perspective (informed by recent work on Web application vulnerabilities):

“More often than not, we are seeing breaches as a result of an organization's failure to implement security 101 principles, proper patch management, secure software development, processes and procedures. It’s the basic things that organizations fail to do, again and again.

“There’s been a number of Apache Struts vulnerabilities identified recently – Cisco revealed a number of flaws in the open-source framework just last week – and web application vulnerabilities are unfortunately common. In this case, the vulnerability allowed attackers to execute arbitrary code on a server by manipulating the Content-Type HTTP header. Given how often flaws of this nature are discovered, it’s therefore not a huge surprise that an exploit of a vulnerability was the entry point for the Equifax breach. The cause though was a failure on Equifax’s part to patch the issue when a fix became available. The Equifax breach is an example of where some simple measures like a Web application firewall and patch management could have prevented a breach of unprecedented scale from occurring.”

John Suit, CTO at Trivalent, commented:

“In this case, hackers gained access to the data of credit reporting agency Equifax, potentially compromising personally identifiable information like social security numbers and addresses of 143 million American consumers. The data was found by exploiting a weak point in website software. A revelation of this immense size should serve as a wakeup call to organizations everywhere. Companies that store employees’ and customers’ information are targets to identity thieves. The only way to get ahead of a data breach is to address it as a likely probability, rather than impossibility. Organizations must seek next generation data protection solutions that will keep sensitive information safe – even in the event of a breach.”

Michael Patterson, CEO of Plixer, added to his earlier comments:

"A company’s motivation to patch systems is often a business decision based on risk.  Equifax may have had other more pressing IT projects at the time the Apache software update was released.  Perhaps someone in IT at Equifax decided that a new feature in a software system took priority or maybe something like integration with a strategic partner which lead to increased sales.  Any number of reasons like this could be behind why the patch wasn’t applied immediately. However, this was a critical patch and the outcome has been devastating. While companies will not be able to defend against all attacks due to their dynamic nature, they should have rapid response proceedures in place to detect and remediate attacks in a shorter period of time.  Network traffic analytics using NetFlow, IPFIX and other forms of meta data can help unearth abnormal traffic patterns that are often generated by these contagions and allow companies to respond and remediate faster.”

Related stories:

Follow the CyberWire