Equifax Blames Breach on Apache Struts Flaw

Written by

Equifax has blamed last week’s data breach on an Apache Struts vulnerability.

The vulnerability allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, and was patched in March 2017. In an updated statement on its Equifax Security website, it said that it has been “intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted” and the firm determined that the attackers exploited the website application vulnerability.

“We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement”, the website said.

However in a statement released last weekend by the Apache Software Foundation, the Project Management Committee (PMC) backed its development team who it said “puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention.”

In an updated statement released today, the PMC said that after Equifax confirmed that "the vulnerability was Apache Struts CVE-2017-5638" on 13 September 2017”, but followed this saying: “this vulnerability was patched on 7 March 2017, the same day it was announced. In conclusion, the Equifax data compromise was due to their failure to install the security updates provided in a timely manner.”

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said: “Given how often flaws of this nature are discovered, it’s therefore not a huge surprise that an exploit of a vulnerability was the entry point for the Equifax breach.

“The cause though was a failure on Equifax’s part to patch the issue when a fix became available. The Equifax breach is an example of where some simple measures like a Web application firewall and patch management could have prevented a breach of unprecedented scale from occurring.”

After the breach was disclosed on September 7, the Equifax Security website is apparently returning different results to users about whether they are impacted or not. Also newly revealed is that an online employee tool used in Argentina could be accessed by typing "admin" as both a login and password. Once inside the portal, researchers from Hold Security found that they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address, reported Brian Krebs.

“The ‘list of users’ page also featured a clickable button that anyone authenticated with the ‘admin/admin’ username and password could use to add, modify or delete user accounts on the system.”

UPDATED: The Federal Trade Commission (FTC) has opened an investigation into the data breach. 

According to Reuters: “The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach,” spokesman Peter Kaplan said in a brief email statement.

What’s hot on Infosecurity Magazine?