Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:28 PM
Connect Directly

FTC Opens Probe into Equifax Data Breach

Apache Struts flaw was known to be critical and should have been addressed, security researchers say.

The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.

Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breach's potential finanical devastation to the credit-monitoring firm.

In a statement to Dark Reading, an FTC spokesperson confirmed reports about the agency opening an Equifax breach investigation. 

"The FTC typically does not comment on ongoing investigations," the spokesperson said. "However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."

Separately, the FTC Thursday also issued an alert, warning consumers of potential phishing scams related to the Equifax breach.

Equifax last week announced that intruders had broken into its systems between May and July this year and accessed Social Security Numbers, birthdates, and other sensitive data on 143 million US consumers. On Sept. 13, the company identified the vulnerability that enabled the intrusion as Apache Struts CVE-2017-5638, a flaw that was disclosed in March this year and which many believe Equifax should have addressed.

"This vulnerability was scored CVSS 10/10 – the highest rating," says Jeff Williams, co-founder and CTO at Contrast Security. "Within hours of the disclosure, we started seeing widespread automated attacks attempting to exploit this vulnerability. Those attacks are still ongoing," says Williams who earlier this year discovered and reported another Apache Struts flaw.

Williams describes the flaw that felled Equifax as giving attackers a way to take over an entire Web host with a single HTTP request. "Essentially, an attacker could send a single HTTP request – just like the ones your browser sends – except with a specially crafted header that contains the attack."

Flaws such as these are disclosed many times a year and require organizations to have processes in place to monitor for and replace libraries as vulnerabilities are disclosed. "Ensuring that you don't use libraries with known vulnerabilities has been in the OWASP Top 10 since 2009," he says.

Implementing the advice can be challenging, especially in large organizations such as Equifax, and can often require rewriting, retesting, and redeploying an application, Williams concedes. Even so, organizations absolutely need to have processes to ensure they don't use vulnerable libraries, he says.

"Updates to Apache Struts require more of a migration than the sort of in-place patching associated with the majority of updates," adds Michael Veenstra, Web researcher at SiteLock. The effort could require "a nontrivial amount of testing and development time to ensure existing applications functioned properly following the upgrade," he says.

In this case, however, there were intermediate workarounds suggested by the Apache Struts documentation that would have been significantly easier to implement in the short-term and given Equifax the time it needed to replace the vulnerable libraries.

Web access firewall rules could also have been put in place to identify attempts to exploit this vulnerability without affecting the performance of unrelated systems, Veenstra notes. "This flaw was definitely not one to ignore. Anyone running vulnerable versions of Struts should have made this an immediate, critical priority."

Adding to the growing feeling that Equifax's security practices may have been subpar were reports this week that the company had used a default "admin" username and password combination to protect an employee portal in Argentina.

Security blogger Brian Krebs described the portal, which has now been taken down, as something that was being used to handle consumer disputes over credit reports. Anyone that had access to the portal could view sensitive personal data of more than 100 Equifax employees in Argentina and some 14,000 records containing similar information on consumers who had disputes with the company.

Intrusions such as the one at Equifax, and the company's failure to detect it for more than two months, typically are used as examples of why organizations need to monitor their network activity more closely. But that alone is not enough, Veenstra says. Given the more than two-month window that the attackers had in this instance, it is hard to determine the rate at which they were exfiltrating data, he says.

"It's entirely possible that the adversary was carefully throttling the rate at which the data was being pulled. This can serve to reduce how 'noisy' the activity is on a target network," he notes. Such attacks really demonstrate is the need for multiple layers of security, he says.

Intrusion detection systems (IDS), for instance, should be put in place to identify when Web services are executing unusual system-level commands and Web application firewalls for monitoring for indications of attack. Interactions between Web services and sensitive databases need to be logged and monitored closely with transactions being directly connected to the activities requesting them. Internal systems also need to be separated to the extent possible to restrict attackers from moving around.

"Identifying suspicious requests early could have been the difference between thousands of victims and millions," Veenstra says.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Strategist
9/15/2017 | 10:09:28 AM
This is one of three major credit reporting agencies that hold all of our personal data and they don't even require our explicit permission to hold it. Equifax deserves to lose it all over this breach. We can get by with just two major credit reporting agencies.
User Rank: Apprentice
9/15/2017 | 11:40:31 AM
Java and Open Source
The use of Java is a love/hate relationship.  It seems applying java updates is about 80% sure that it will break some applications in use within organization.  The Open Sources usage is also questionable in an organization like Equifax for extremely confidential information is kept and they are using software that everybody in the world has access to the source code of that software.  It just does not sit well.

Many orgranization have to fully regression test anything in Java because of its history of breaking things with each update and version.
User Rank: Strategist
9/19/2017 | 8:39:11 PM
Re: Inexcusable
Agreed, Equifax should not be allowed to continue as a business.  They have shown total negligence in securely storing data we did not give them explicit permission to store.  There's nothing they can do to restore confidence in their ability to house sensitive data.   Considering the power they have held over consumers credit, why should they get a second chance?  A funny side note: LifeLock is selling a product to monitor your credit for negative activity related to this event - LifeLock is simply rebranding the Equifax monitoring service and selling it to consumers.
User Rank: Ninja
9/20/2017 | 8:57:49 AM
Re: Inexcusable
I love the comment that the patch would have involved a non-trivial amount of effort.  OH, my heart doth bleed for the poor IT folks.  I remember full weekend migrations of Novell servers and while hard, it was --- well --- WHAT WE WERE PAID FOR!!!!  Stayed overnight in a hotel for that migration too.  While these efforts are not common --- they are part of our job.  
User Rank: Strategist
9/20/2017 | 1:48:21 PM
Re: Inexcusable
I too was a Novell Engineer many years ago and remember how painful setting up or migrating those servers could be.  In fact just setting up printing was a chore in those days!
User Rank: Ninja
9/20/2017 | 1:52:49 PM
Re: Inexcusable
And i have never read of a security hack on an old Novell server!!!
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.