Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:28 PM
Connect Directly

FTC Opens Probe into Equifax Data Breach

Apache Struts flaw was known to be critical and should have been addressed, security researchers say.

The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.

Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breach's potential finanical devastation to the credit-monitoring firm.

In a statement to Dark Reading, an FTC spokesperson confirmed reports about the agency opening an Equifax breach investigation. 

"The FTC typically does not comment on ongoing investigations," the spokesperson said. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."

Separately, the FTC Thursday also issued an alert, warning consumers of potential phishing scams related to the Equifax breach.

Equifax last week announced that intruders had broken into its systems between May and July this year and accessed Social Security Numbers, birthdates, and other sensitive data on 143 million US consumers. On Sept. 13, the company identified the vulnerability that enabled the intrusion as Apache Struts CVE-2017-5638, a flaw that was disclosed in March this year and which many believe Equifax should have addressed.

"This vulnerability was scored CVSS 10/10 – the highest rating," says Jeff Williams, co-founder and CTO at Contrast Security. "Within hours of the disclosure, we started seeing widespread automated attacks attempting to exploit this vulnerability. Those attacks are still ongoing," says Williams who earlier this year discovered and reported another Apache Struts flaw.

Williams describes the flaw that felled Equifax as giving attackers a way to take over an entire Web host with a single HTTP request. "Essentially, an attacker could send a single HTTP request – just like the ones your browser sends – except with a specially crafted header that contains the attack."

Flaws such as these are disclosed many times a year and require organizations to have processes in place to monitor for and replace libraries as vulnerabilities are disclosed. "Ensuring that you don't use libraries with known vulnerabilities has been in the OWASP Top 10 since 2009," he says.

Implementing the advice can be challenging, especially in large organizations such as Equifax, and can often require rewriting, retesting, and redeploying an application, Williams concedes. Even so, organizations absolutely need to have processes to ensure they don't use vulnerable libraries, he says.

"Updates to Apache Struts require more of a migration than the sort of in-place patching associated with the majority of updates," adds Michael Veenstra, Web researcher at SiteLock. The effort could require "a nontrivial amount of testing and development time to ensure existing applications functioned properly following the upgrade," he says.

In this case, however, there were intermediate workarounds suggested by the Apache Struts documentation that would have been significantly easier to implement in the short-term and given Equifax the time it needed to replace the vulnerable libraries.

Web access firewall rules could also have been put in place to identify attempts to exploit this vulnerability without affecting the performance of unrelated systems, Veenstra notes. "This flaw was definitely not one to ignore. Anyone running vulnerable versions of Struts should have made this an immediate, critical priority."

Adding to the growing feeling that Equifax's security practices may have been subpar were reports this week that the company had used a default "admin" username and password combination to protect an employee portal in Argentina.

Security blogger Brian Krebs described the portal, which has now been taken down, as something that was being used to handle consumer disputes over credit reports. Anyone that had access to the portal could view sensitive personal data of more than 100 Equifax employees in Argentina and some 14,000 records containing similar information on consumers who had disputes with the company.

Intrusions such as the one at Equifax, and the company's failure to detect it for more than two months, typically are used as examples of why organizations need to monitor their network activity more closely. But that alone is not enough, Veenstra says. Given the more than two-month window that the attackers had in this instance, it is hard to determine the rate at which they were exfiltrating data, he says.

"It's entirely possible that the adversary was carefully throttling the rate at which the data was being pulled. This can serve to reduce how 'noisy' the activity is on a target network," he notes. Such attacks really demonstrate is the need for multiple layers of security, he says.

Intrusion detection systems (IDS), for instance, should be put in place to identify when Web services are executing unusual system-level commands and Web application firewalls for monitoring for indications of attack. Interactions between Web services and sensitive databases need to be logged and monitored closely with transactions being directly connected to the activities requesting them. Internal systems also need to be separated to the extent possible to restrict attackers from moving around.

"Identifying suspicious requests early could have been the difference between thousands of victims and millions," Veenstra says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/20/2017 | 1:52:49 PM
Re: Inexcusable
And i have never read of a security hack on an old Novell server!!!
User Rank: Strategist
9/20/2017 | 1:48:21 PM
Re: Inexcusable
I too was a Novell Engineer many years ago and remember how painful setting up or migrating those servers could be.  In fact just setting up printing was a chore in those days!
User Rank: Ninja
9/20/2017 | 8:57:49 AM
Re: Inexcusable
I love the comment that the patch would have involved a non-trivial amount of effort.  OH, my heart doth bleed for the poor IT folks.  I remember full weekend migrations of Novell servers and while hard, it was --- well --- WHAT WE WERE PAID FOR!!!!  Stayed overnight in a hotel for that migration too.  While these efforts are not common --- they are part of our job.  
User Rank: Strategist
9/19/2017 | 8:39:11 PM
Re: Inexcusable
Agreed, Equifax should not be allowed to continue as a business.  They have shown total negligence in securely storing data we did not give them explicit permission to store.  There's nothing they can do to restore confidence in their ability to house sensitive data.   Considering the power they have held over consumers credit, why should they get a second chance?  A funny side note: LifeLock is selling a product to monitor your credit for negative activity related to this event - LifeLock is simply rebranding the Equifax monitoring service and selling it to consumers.
User Rank: Apprentice
9/15/2017 | 11:40:31 AM
Java and Open Source
The use of Java is a love/hate relationship.  It seems applying java updates is about 80% sure that it will break some applications in use within organization.  The Open Sources usage is also questionable in an organization like Equifax for extremely confidential information is kept and they are using software that everybody in the world has access to the source code of that software.  It just does not sit well.

Many orgranization have to fully regression test anything in Java because of its history of breaking things with each update and version.
User Rank: Strategist
9/15/2017 | 10:09:28 AM
This is one of three major credit reporting agencies that hold all of our personal data and they don't even require our explicit permission to hold it. Equifax deserves to lose it all over this breach. We can get by with just two major credit reporting agencies.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...