Equifax Confirms March Struts Vulnerability Behind Breach

Equifax said the culprit behind this summer’s massive breach of 143 million Americans was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.

The bug was widely assumed by experts to be the “U.S. website application vulnerability” implicated by the company last Thursday, especially after an Apache spokeswoman told Reuters on Friday that it appeared the consumer credit reporting agency hadn’t applied patches for flaws discovered earlier this year.

On Wednesday company specified the flaw in a statement posted to its site and stressed it was continuing to work alongside law enforcement to investigate the incident.

> “Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Until the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.

René Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote in open letter over the weekend that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts last Tuesday but Gielen said the Apache PMC would have known about it if it was being exploited in July.

An internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.

Jeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.

“The first vulnerability from March seems much more likely because it’s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,” Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.

“The process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,” Williams said.

The vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, was patched back in March but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found installing Cerber ransomware on vulnerable servers.

Famed cryptographer Bruce Schneier, CTO of IBM Resilient, weighed in on the Equifax fiasco on Wednesday and like IoT issues as of late have necessitated, suggested the only solution to preventing breaches like this from happening again is government intervention.

“By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,” Schneier wrote, “They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.”

Fittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company’s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.

“The volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,” Warner wrote, “In ways similar to the financial service industry’s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.”

The letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.

“The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,” the senators wrote in a letter on Monday.

While the FTC doesn’t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the “intense public interest” and “potential impact of this matter,” it was looking into the breach.

Equifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site KrebsonSecurity.com said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden’s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI – the Argentinian equivalent of a Social Security Number.

The site, according to Holden “was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.” Krebs claims the portal was disabled upon notifying Equifax’s attorney and that the company is looking into how it may have been left unsecured.