In-brief: Beset by a plunging share price, class action lawsuits in dozens of states, pending Congressional hearings and a FTC investigation, Equifax on Wednesday finally settled speculation and named a six month old hole in a common software platform, Apache Struts, as the cause of a massive hack.
Beset by a plunging share price, class action lawsuits in dozens of states, pending Congressional hearings and a FTC investigation, Equifax on Wednesday finally settled speculation and named a six month old hole in a common software platform, Apache Struts, as the source of a massive hack of the company that resulted in the theft of information on 143 million individuals
In a statement the company said that a hole in the Apache Struts platform first identified in March, 2017 and patched in August was used by hackers to compromise a web application and gain access to the information which included names, email addresses and, for US residents, Social Security Numbers. The vulnerability, identified as CVE-2017-5638, was associated with a string of attacks in March when it was first identified. Equifax did not explain why it had not patched or taken steps to remediate the known security hole.
In a statement released to The Security Ledger, Equifax’s Senior Director of Public Relations, Wyatt Jefferies said that the company is working with law enforcement as part of a criminal investigation. The company shared details of the attack (or “indicators of compromise”) with law enforcement, he said.
Whatever the cause of Equifax’s delay, the costs to the company became apparent in recent days. The company took a hit for its bungled response to the breach, which included a support tool with terms of service that asked victims to waive their right to sue the company.
Most recently, the FTC opened an investigation into the firm and made the unusual step of publicly announcing the existence of the investigation, Bloomberg reported. That pushed Equifax’s stock down further on Thursday. The company, whose stock was trading at $142 a share the day before the breach was announced closed trading on Thursday at just $96 a share. States attorneys general are also investigating the security incident at the company. Consumers are having difficulty reaching the company via support lines and are being urged to freeze their credit at Equifax, Experian and other agencies or to register for credit monitoring and identity theft monitoring services out of fear that cyber criminals will use the stolen information to carry out identity theft scams. And, as often happens, lower tech scams are proliferating as well. The FTC’s Consumer Information website warned of phone scams claiming to come from Equifax and asking people to verify their account information.
The software hole exploited by the hackers was in a component of Struts version 2.3.x and 2.5.x called the Jakarta Multipart parser. Because of a flaw in the way the feature manages file uploads, attackers could run malicious commands on affected systems using specially crafted strings hidden in an HTTP header. Equifax’s explanation of the incident as an attack on a web application and the coincidence of a critical, remotely exploitable hole in Struts 2 in August prompted early speculation that the attack was linked to the most recent Struts hole. But security researcher Robert Hansen said that word on the streets pointed to an “older” vulnerability that was more than two months old.
He said that, despite the risk, companies often find excuses not to address such issues. “Companies are slow,” he said. “It represents an opportunity cost. They forget to do it. Etc. Etc. (There are) a million bad reasons.”
Organizations that stay on top of critical patches can typically apply new updates without causing disruptions to operations, said Brian Fox, the Chief Technology Officer at the firm Sonatype. However, as one patch gets delayed, companies develop a kind of patch debt that makes it even harder to find time to apply subsequent patches, creating a dangerous cycle of neglect, said Fox.