Attacks/Breaches

9/14/2017
04:28 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FTC Opens Probe into Equifax Data Breach

Apache Struts flaw was known to be critical and should have been addressed, security researchers say.

The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.

Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breach's potential finanical devastation to the credit-monitoring firm.

In a statement to Dark Reading, an FTC spokesperson confirmed reports about the agency opening an Equifax breach investigation. 

"The FTC typically does not comment on ongoing investigations," the spokesperson said. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."

Separately, the FTC Thursday also issued an alert, warning consumers of potential phishing scams related to the Equifax breach.

Equifax last week announced that intruders had broken into its systems between May and July this year and accessed Social Security Numbers, birthdates, and other sensitive data on 143 million US consumers. On Sept. 13, the company identified the vulnerability that enabled the intrusion as Apache Struts CVE-2017-5638, a flaw that was disclosed in March this year and which many believe Equifax should have addressed.

"This vulnerability was scored CVSS 10/10 – the highest rating," says Jeff Williams, co-founder and CTO at Contrast Security. "Within hours of the disclosure, we started seeing widespread automated attacks attempting to exploit this vulnerability. Those attacks are still ongoing," says Williams who earlier this year discovered and reported another Apache Struts flaw.

Williams describes the flaw that felled Equifax as giving attackers a way to take over an entire Web host with a single HTTP request. "Essentially, an attacker could send a single HTTP request – just like the ones your browser sends – except with a specially crafted header that contains the attack."

Flaws such as these are disclosed many times a year and require organizations to have processes in place to monitor for and replace libraries as vulnerabilities are disclosed. "Ensuring that you don't use libraries with known vulnerabilities has been in the OWASP Top 10 since 2009," he says.

Implementing the advice can be challenging, especially in large organizations such as Equifax, and can often require rewriting, retesting, and redeploying an application, Williams concedes. Even so, organizations absolutely need to have processes to ensure they don't use vulnerable libraries, he says.

"Updates to Apache Struts require more of a migration than the sort of in-place patching associated with the majority of updates," adds Michael Veenstra, Web researcher at SiteLock. The effort could require "a nontrivial amount of testing and development time to ensure existing applications functioned properly following the upgrade," he says.

In this case, however, there were intermediate workarounds suggested by the Apache Struts documentation that would have been significantly easier to implement in the short-term and given Equifax the time it needed to replace the vulnerable libraries.

Web access firewall rules could also have been put in place to identify attempts to exploit this vulnerability without affecting the performance of unrelated systems, Veenstra notes. "This flaw was definitely not one to ignore. Anyone running vulnerable versions of Struts should have made this an immediate, critical priority."

Adding to the growing feeling that Equifax's security practices may have been subpar were reports this week that the company had used a default "admin" username and password combination to protect an employee portal in Argentina.

Security blogger Brian Krebs described the portal, which has now been taken down, as something that was being used to handle consumer disputes over credit reports. Anyone that had access to the portal could view sensitive personal data of more than 100 Equifax employees in Argentina and some 14,000 records containing similar information on consumers who had disputes with the company.

Intrusions such as the one at Equifax, and the company's failure to detect it for more than two months, typically are used as examples of why organizations need to monitor their network activity more closely. But that alone is not enough, Veenstra says. Given the more than two-month window that the attackers had in this instance, it is hard to determine the rate at which they were exfiltrating data, he says.

"It's entirely possible that the adversary was carefully throttling the rate at which the data was being pulled. This can serve to reduce how 'noisy' the activity is on a target network," he notes. Such attacks really demonstrate is the need for multiple layers of security, he says.

Intrusion detection systems (IDS), for instance, should be put in place to identify when Web services are executing unusual system-level commands and Web application firewalls for monitoring for indications of attack. Interactions between Web services and sensitive databases need to be logged and monitored closely with transactions being directly connected to the activities requesting them. Internal systems also need to be separated to the extent possible to restrict attackers from moving around.

"Identifying suspicious requests early could have been the difference between thousands of victims and millions," Veenstra says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/20/2017 | 1:52:49 PM
Re: Inexcusable
And i have never read of a security hack on an old Novell server!!!
gwilson001
50%
50%
gwilson001,
User Rank: Strategist
9/20/2017 | 1:48:21 PM
Re: Inexcusable
I too was a Novell Engineer many years ago and remember how painful setting up or migrating those servers could be.  In fact just setting up printing was a chore in those days!
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
9/20/2017 | 8:57:49 AM
Re: Inexcusable
I love the comment that the patch would have involved a non-trivial amount of effort.  OH, my heart doth bleed for the poor IT folks.  I remember full weekend migrations of Novell servers and while hard, it was --- well --- WHAT WE WERE PAID FOR!!!!  Stayed overnight in a hotel for that migration too.  While these efforts are not common --- they are part of our job.  
gwilson001
100%
0%
gwilson001,
User Rank: Strategist
9/19/2017 | 8:39:11 PM
Re: Inexcusable
Agreed, Equifax should not be allowed to continue as a business.  They have shown total negligence in securely storing data we did not give them explicit permission to store.  There's nothing they can do to restore confidence in their ability to house sensitive data.   Considering the power they have held over consumers credit, why should they get a second chance?  A funny side note: LifeLock is selling a product to monitor your credit for negative activity related to this event - LifeLock is simply rebranding the Equifax monitoring service and selling it to consumers.
TVUONG495
100%
0%
TVUONG495,
User Rank: Apprentice
9/15/2017 | 11:40:31 AM
Java and Open Source
The use of Java is a love/hate relationship.  It seems applying java updates is about 80% sure that it will break some applications in use within organization.  The Open Sources usage is also questionable in an organization like Equifax for extremely confidential information is kept and they are using software that everybody in the world has access to the source code of that software.  It just does not sit well.

Many orgranization have to fully regression test anything in Java because of its history of breaking things with each update and version.
JoeM066
100%
0%
JoeM066,
User Rank: Strategist
9/15/2017 | 10:09:28 AM
Inexcusable
This is one of three major credit reporting agencies that hold all of our personal data and they don't even require our explicit permission to hold it. Equifax deserves to lose it all over this breach. We can get by with just two major credit reporting agencies.
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Hyatt Hit With Another Credit Card Breach
Dark Reading Staff 10/13/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.