Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:28 PM
Connect Directly

FTC Opens Probe into Equifax Data Breach

Apache Struts flaw was known to be critical and should have been addressed, security researchers say.

The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.

Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breach's potential finanical devastation to the credit-monitoring firm.

In a statement to Dark Reading, an FTC spokesperson confirmed reports about the agency opening an Equifax breach investigation. 

"The FTC typically does not comment on ongoing investigations," the spokesperson said. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."

Separately, the FTC Thursday also issued an alert, warning consumers of potential phishing scams related to the Equifax breach.

Equifax last week announced that intruders had broken into its systems between May and July this year and accessed Social Security Numbers, birthdates, and other sensitive data on 143 million US consumers. On Sept. 13, the company identified the vulnerability that enabled the intrusion as Apache Struts CVE-2017-5638, a flaw that was disclosed in March this year and which many believe Equifax should have addressed.

"This vulnerability was scored CVSS 10/10 – the highest rating," says Jeff Williams, co-founder and CTO at Contrast Security. "Within hours of the disclosure, we started seeing widespread automated attacks attempting to exploit this vulnerability. Those attacks are still ongoing," says Williams who earlier this year discovered and reported another Apache Struts flaw.

Williams describes the flaw that felled Equifax as giving attackers a way to take over an entire Web host with a single HTTP request. "Essentially, an attacker could send a single HTTP request – just like the ones your browser sends – except with a specially crafted header that contains the attack."

Flaws such as these are disclosed many times a year and require organizations to have processes in place to monitor for and replace libraries as vulnerabilities are disclosed. "Ensuring that you don't use libraries with known vulnerabilities has been in the OWASP Top 10 since 2009," he says.

Implementing the advice can be challenging, especially in large organizations such as Equifax, and can often require rewriting, retesting, and redeploying an application, Williams concedes. Even so, organizations absolutely need to have processes to ensure they don't use vulnerable libraries, he says.

"Updates to Apache Struts require more of a migration than the sort of in-place patching associated with the majority of updates," adds Michael Veenstra, Web researcher at SiteLock. The effort could require "a nontrivial amount of testing and development time to ensure existing applications functioned properly following the upgrade," he says.

In this case, however, there were intermediate workarounds suggested by the Apache Struts documentation that would have been significantly easier to implement in the short-term and given Equifax the time it needed to replace the vulnerable libraries.

Web access firewall rules could also have been put in place to identify attempts to exploit this vulnerability without affecting the performance of unrelated systems, Veenstra notes. "This flaw was definitely not one to ignore. Anyone running vulnerable versions of Struts should have made this an immediate, critical priority."

Adding to the growing feeling that Equifax's security practices may have been subpar were reports this week that the company had used a default "admin" username and password combination to protect an employee portal in Argentina.

Security blogger Brian Krebs described the portal, which has now been taken down, as something that was being used to handle consumer disputes over credit reports. Anyone that had access to the portal could view sensitive personal data of more than 100 Equifax employees in Argentina and some 14,000 records containing similar information on consumers who had disputes with the company.

Intrusions such as the one at Equifax, and the company's failure to detect it for more than two months, typically are used as examples of why organizations need to monitor their network activity more closely. But that alone is not enough, Veenstra says. Given the more than two-month window that the attackers had in this instance, it is hard to determine the rate at which they were exfiltrating data, he says.

"It's entirely possible that the adversary was carefully throttling the rate at which the data was being pulled. This can serve to reduce how 'noisy' the activity is on a target network," he notes. Such attacks really demonstrate is the need for multiple layers of security, he says.

Intrusion detection systems (IDS), for instance, should be put in place to identify when Web services are executing unusual system-level commands and Web application firewalls for monitoring for indications of attack. Interactions between Web services and sensitive databases need to be logged and monitored closely with transactions being directly connected to the activities requesting them. Internal systems also need to be separated to the extent possible to restrict attackers from moving around.

"Identifying suspicious requests early could have been the difference between thousands of victims and millions," Veenstra says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/20/2017 | 1:52:49 PM
Re: Inexcusable
And i have never read of a security hack on an old Novell server!!!
User Rank: Strategist
9/20/2017 | 1:48:21 PM
Re: Inexcusable
I too was a Novell Engineer many years ago and remember how painful setting up or migrating those servers could be.  In fact just setting up printing was a chore in those days!
User Rank: Ninja
9/20/2017 | 8:57:49 AM
Re: Inexcusable
I love the comment that the patch would have involved a non-trivial amount of effort.  OH, my heart doth bleed for the poor IT folks.  I remember full weekend migrations of Novell servers and while hard, it was --- well --- WHAT WE WERE PAID FOR!!!!  Stayed overnight in a hotel for that migration too.  While these efforts are not common --- they are part of our job.  
User Rank: Strategist
9/19/2017 | 8:39:11 PM
Re: Inexcusable
Agreed, Equifax should not be allowed to continue as a business.  They have shown total negligence in securely storing data we did not give them explicit permission to store.  There's nothing they can do to restore confidence in their ability to house sensitive data.   Considering the power they have held over consumers credit, why should they get a second chance?  A funny side note: LifeLock is selling a product to monitor your credit for negative activity related to this event - LifeLock is simply rebranding the Equifax monitoring service and selling it to consumers.
User Rank: Apprentice
9/15/2017 | 11:40:31 AM
Java and Open Source
The use of Java is a love/hate relationship.  It seems applying java updates is about 80% sure that it will break some applications in use within organization.  The Open Sources usage is also questionable in an organization like Equifax for extremely confidential information is kept and they are using software that everybody in the world has access to the source code of that software.  It just does not sit well.

Many orgranization have to fully regression test anything in Java because of its history of breaking things with each update and version.
User Rank: Strategist
9/15/2017 | 10:09:28 AM
This is one of three major credit reporting agencies that hold all of our personal data and they don't even require our explicit permission to hold it. Equifax deserves to lose it all over this breach. We can get by with just two major credit reporting agencies.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.