The Equifax data breach was one of the biggest data breaches to ever impact American customers. As cybersecurity professionals, we have to wonder what went wrong for 148 million Americans to have their names, phone numbers, home addresses, dates of birth, license numbers and social security numbers exposed? That’s almost half the country. On top of this, around 209,000 customers had their credit card numbers breached, which put them at significant risk for credit card fraud.
The vulnerability
It all started with a little vulnerability called CVE-2017-5638 in Apache Struts, an open-source framework for building Java web apps. This wasn’t just any old vulnerability, but one that could lead to remote code execution (RCE). Due to improper handling of Content-Type, Content-Disposition and Content-Length headers, it allowed attackers to send tailored requests to upload a file to vulnerable servers running Apache Struts’ Jakarta Multipart parser. With this vulnerability, attackers could execute commands on vulnerable servers.
The patch
The Apache Software Foundation issued a patch for the vulnerability on March 7, 2017. Within two days, Equifax’s security team had received notification advising them of the critical vulnerability and the patch from the Department of Homeland Security’s US-CERT. The notification was circulated among Equifax’s security team with instructions to patch vulnerable systems within 48 hours. Equifax then ran a scan to detect any remaining unpatched systems on its network, but it didn’t detect any vulnerable systems.
The problem
It’s normal for vulnerabilities to be found in software. However, things went awry during Equifax’s patching process. According to a report from the United States Government Accountability Office, Equifax was using an out-of-date recipient list when it circulated the patch notification. This meant that the responsible individuals didn’t actually receive the notification to install the patch, so they never actually did it. There were also problems with the scan, since it failed to detect the unpatched systems. This resulted in Equifax’s systems being extremely vulnerable.
The attack
Once the patch was released, this alerted the attackers about the serious vulnerability in the wild. They started scanning the web, looking for unpatched systems that they could easily exploit. By March 10, they had discovered that a server that hosts Equifax’s online dispute portal was still running the outdated software. They then exploited the Apache Struts vulnerability. This gave them access to the customer dispute portal, through which they could run commands. Despite having access, they didn’t take any data at this stage.
On May 13, the attackers surreptitiously gained access to the portal once again. They used existing encrypted channels to send requests and commands to other systems that were connected to the dispute portal. The encrypted channels allowed them to retrieve sensitive customer data without alerting Equifax’s detection tools and raising suspicions.
While searching around Equifax’s systems, the attackers found unencrypted usernames and passwords, which they leveraged to access additional databases. The attackers had expanded their access from the initial three databases that were linked to the dispute portal, ending up with access to an additional 48 databases.
The attackers extracted the personal data from these databases and then exfiltrated the data slowly and in small amounts, disguising the exfiltration as normal traffic. In total, the attackers remained in the network for 76 days before finally being discovered. This approach netted the attackers a staggering amount of personal data on almost 150 million Americans.
That’s it for this week. Next week we’re going to delve into the major security takeaways and lessons we can learn from the Equifax breach.
