Equifax Hacked Via Six Month Old Struts Vulnerability



Equifax confirmed that a vulnerability in Apache Struts 2, patched in March, was used to hack into the firm and steal data on 143 million individuals. Is that the whole story?

On Wednesday, Equifax said that attackers made off with personal information on 143 million individuals after they exploited a known and patched hole in Apache Struts 2, a popular open source framework for developing web applications.

The company said that its investigation into the intrusion found that criminals exploited a vulnerability in the Apache Struts framework on one of the company’s U.S. based web applications. The vulnerability, CVE-2017-5638, affects a component of Struts called the Jakarta Multipart parser and could allow remote attackers to execute arbitrary commands on a target system. The Apache Software Foundation released a patch for the hole on March 7 of this year, but Equifax apparently failed to apply it.

According to Wyatt Jefferies, the Senior Director of Public Relations at Equifax, the company is continuing its work with law enforcement as well as private cyber security firms and has shared indicators of compromise.

The company’s admission follows days of speculation in the media about the source of the breach, which focused early on Struts 2, a common platform for creating web applications. The confirmation of the Struts vulnerability highlights a common problem facing organizations: vulnerabilities in common open source or proprietary platforms.

“Struts is so widely used; that’s why attacks like this are so common,” Brian Fox of the open source governance firm Sonatype told me. “It’s like a common mode failure that affects millions of applications.”

That makes any flaw in the platform a high priority for attackers, who can use shared databases like Exploit.db and automated tools like Shodan to scan the Internet for vulnerable instances and then target their attacks at those, Fox said.

Lately, Struts 2 has been the gift that keeps on giving. The March 2017 patch led to an epidemic of attacks on a wide range of targets including banks, hospitals and government agencies around the globe. It also generated widespread alarm within security circles. Yet another critical hole, CVE-2017-9805 was disclosed in August and is now actively being exploited.

It’s a mystery how all that managed to sneak by the folks at Equifax. Perhaps the company felt it wasn’t impacted by the Severity 10 vulnerability because of the specifics of the application that used Struts 2, or perhaps the company put in place a mitigation for the vulnerability that shielded it from compromise - until it didn’t.

Fox said that applying patches even to critical components like Struts 2 isn’t difficult or even disruptive – as long as the company stays on top of them. Organizations that fall behind can quickly find themselves in a bind as their version of the software diverges further from the latest and the complexity of applying multiple layers of patches grows, leading to a patch paralysis.

The consequences of letting patches lapse can be severe. Equifax’s stock price has dropped since the breach was announced. Scammers are targeting Equifax customers with bogus phone calls, class action lawsuits are underway in a number of states and multiple Congressional hearings are scheduled to delve into the details of the breach. In short: this is a problem that the company will be digging out from for months and even years to come.

The price of not patching is high, indeed.

Paul F. Roberts is Editor in Chief at The Security Ledger and founder of The Security of Things™ Forum.

Paul Roberts

WHITEPAPERS

Stopping Cyber Threats: Your Field Guide to Threat Hunting

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.