Equifax Data Breach: Unpatched Apache Struts Vulnerability Was Exploited In Hack

Credit reporting firm Equifax announced Thursday the hackers that breached its servers exploited an Apache Struts security vulnerability, which led to the exposure of personal information belonging to more than 143 million consumers in the United States.

While Equifax reported the breach occurred sometime around mid-May, the bug in the Apache Struts framework was fixed in March, more than two months before the apparent exploit on Equifax servers took place.

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted,” the firm said in an update posted to a website dedicated to the breach.

“We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

Equifax's confirmation comes after a report from equity research firm Baird circulated last week blaming the same flaw.”

When first discovered back in March, the Apache Struts CVE-2017-5638 vulnerability was considered a zero-day—an exploit that could be attacked because the software maker was unaware of it or had yet to address it with a patch or fix.

By March 6, a patch for the vulnerability was made available and could be applied by anyone using Apache Struts—a popular and free, open-source framework used for creating Java-based web applications.

The threats associated with the vulnerability were far from unknown. Just days after the patch was released, cyber criminals went about attacking those who had failed to patch the exploit. Researchers at Cisco Systems deemed the vulnerability to be critical and noted a “high number of exploitation events” making use of the bug.

In one instance, a malicious group used the Apache Struts exploit to install Cerber ransomware on a number of locally networked machines. That endeavor ended up netting the hacking group more than $100,000 in Bitcoin.

Apache Struts is a widely used framework that many Fortune 500 companies have made use of, so when a major vulnerability is announced, it’s unsurprising that attackers would strike at it as quickly as possible in hopes of catching a company before they patch the problem. In the case of the vulnerability exploited in the Equifax breach, applying the patch was a labor intensive task, as it required rebuilding older, bug-plagued versions of the framework.

Still, the known timeline suggests Equifax had just over two months to patch the vulnerability and failed to do so. That lapse in security led to the breach that reportedly happened in May and wasn’t discovered by Equifax until July 29.

More often than not, we are seeing breaches as a result of an organization's failure to implement security 101 principles, proper patch management, secure software development, processes and procedures,” Leigh-Anne Galloway, Cyber Security Resilience Officer at Positive Technologies told International Business Times. “It’s the basic things that organizations fail to do, again and again.”