Attacks/Breaches

9/14/2017
04:28 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FTC Opens Probe into Equifax Data Breach

Apache Struts flaw was known to be critical and should have been addressed, security researchers say.

The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.

Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breach's potential finanical devastation to the credit-monitoring firm.

In a statement to Dark Reading, an FTC spokesperson confirmed reports about the agency opening an Equifax breach investigation. 

"The FTC typically does not comment on ongoing investigations," the spokesperson said. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."

Separately, the FTC Thursday also issued an alert, warning consumers of potential phishing scams related to the Equifax breach.

Equifax last week announced that intruders had broken into its systems between May and July this year and accessed Social Security Numbers, birthdates, and other sensitive data on 143 million US consumers. On Sept. 13, the company identified the vulnerability that enabled the intrusion as Apache Struts CVE-2017-5638, a flaw that was disclosed in March this year and which many believe Equifax should have addressed.

"This vulnerability was scored CVSS 10/10 – the highest rating," says Jeff Williams, co-founder and CTO at Contrast Security. "Within hours of the disclosure, we started seeing widespread automated attacks attempting to exploit this vulnerability. Those attacks are still ongoing," says Williams who earlier this year discovered and reported another Apache Struts flaw.

Williams describes the flaw that felled Equifax as giving attackers a way to take over an entire Web host with a single HTTP request. "Essentially, an attacker could send a single HTTP request – just like the ones your browser sends – except with a specially crafted header that contains the attack."

Flaws such as these are disclosed many times a year and require organizations to have processes in place to monitor for and replace libraries as vulnerabilities are disclosed. "Ensuring that you don't use libraries with known vulnerabilities has been in the OWASP Top 10 since 2009," he says.

Implementing the advice can be challenging, especially in large organizations such as Equifax, and can often require rewriting, retesting, and redeploying an application, Williams concedes. Even so, organizations absolutely need to have processes to ensure they don't use vulnerable libraries, he says.

"Updates to Apache Struts require more of a migration than the sort of in-place patching associated with the majority of updates," adds Michael Veenstra, Web researcher at SiteLock. The effort could require "a nontrivial amount of testing and development time to ensure existing applications functioned properly following the upgrade," he says.

In this case, however, there were intermediate workarounds suggested by the Apache Struts documentation that would have been significantly easier to implement in the short-term and given Equifax the time it needed to replace the vulnerable libraries.

Web access firewall rules could also have been put in place to identify attempts to exploit this vulnerability without affecting the performance of unrelated systems, Veenstra notes. "This flaw was definitely not one to ignore. Anyone running vulnerable versions of Struts should have made this an immediate, critical priority."

Adding to the growing feeling that Equifax's security practices may have been subpar were reports this week that the company had used a default "admin" username and password combination to protect an employee portal in Argentina.

Security blogger Brian Krebs described the portal, which has now been taken down, as something that was being used to handle consumer disputes over credit reports. Anyone that had access to the portal could view sensitive personal data of more than 100 Equifax employees in Argentina and some 14,000 records containing similar information on consumers who had disputes with the company.

Intrusions such as the one at Equifax, and the company's failure to detect it for more than two months, typically are used as examples of why organizations need to monitor their network activity more closely. But that alone is not enough, Veenstra says. Given the more than two-month window that the attackers had in this instance, it is hard to determine the rate at which they were exfiltrating data, he says.

"It's entirely possible that the adversary was carefully throttling the rate at which the data was being pulled. This can serve to reduce how 'noisy' the activity is on a target network," he notes. Such attacks really demonstrate is the need for multiple layers of security, he says.

Intrusion detection systems (IDS), for instance, should be put in place to identify when Web services are executing unusual system-level commands and Web application firewalls for monitoring for indications of attack. Interactions between Web services and sensitive databases need to be logged and monitored closely with transactions being directly connected to the activities requesting them. Internal systems also need to be separated to the extent possible to restrict attackers from moving around.

"Identifying suspicious requests early could have been the difference between thousands of victims and millions," Veenstra says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/20/2017 | 1:52:49 PM
Re: Inexcusable
And i have never read of a security hack on an old Novell server!!!
gwilson001
50%
50%
gwilson001,
User Rank: Strategist
9/20/2017 | 1:48:21 PM
Re: Inexcusable
I too was a Novell Engineer many years ago and remember how painful setting up or migrating those servers could be.  In fact just setting up printing was a chore in those days!
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
9/20/2017 | 8:57:49 AM
Re: Inexcusable
I love the comment that the patch would have involved a non-trivial amount of effort.  OH, my heart doth bleed for the poor IT folks.  I remember full weekend migrations of Novell servers and while hard, it was --- well --- WHAT WE WERE PAID FOR!!!!  Stayed overnight in a hotel for that migration too.  While these efforts are not common --- they are part of our job.  
gwilson001
100%
0%
gwilson001,
User Rank: Strategist
9/19/2017 | 8:39:11 PM
Re: Inexcusable
Agreed, Equifax should not be allowed to continue as a business.  They have shown total negligence in securely storing data we did not give them explicit permission to store.  There's nothing they can do to restore confidence in their ability to house sensitive data.   Considering the power they have held over consumers credit, why should they get a second chance?  A funny side note: LifeLock is selling a product to monitor your credit for negative activity related to this event - LifeLock is simply rebranding the Equifax monitoring service and selling it to consumers.
TVUONG495
100%
0%
TVUONG495,
User Rank: Apprentice
9/15/2017 | 11:40:31 AM
Java and Open Source
The use of Java is a love/hate relationship.  It seems applying java updates is about 80% sure that it will break some applications in use within organization.  The Open Sources usage is also questionable in an organization like Equifax for extremely confidential information is kept and they are using software that everybody in the world has access to the source code of that software.  It just does not sit well.

Many orgranization have to fully regression test anything in Java because of its history of breaking things with each update and version.
JoeM066
100%
0%
JoeM066,
User Rank: Strategist
9/15/2017 | 10:09:28 AM
Inexcusable
This is one of three major credit reporting agencies that hold all of our personal data and they don't even require our explicit permission to hold it. Equifax deserves to lose it all over this breach. We can get by with just two major credit reporting agencies.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3965
PUBLISHED: 2019-03-23
Hospira Symbiq Infusion System 3.13 and earlier allows remote authenticated users to trigger "unanticipated operations" by leveraging "elevated privileges" for an unspecified call to an incorrectly exposed function.
CVE-2016-10743
PUBLISHED: 2019-03-23
hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.
CVE-2019-9947
PUBLISHED: 2019-03-23
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) follo...
CVE-2019-9948
PUBLISHED: 2019-03-23
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
CVE-2019-9945
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...