Equifax Hack Part II: The Hack Was Avoidable


September 15, 2017

Earlier this week we talked a bit about the Equifax hack and what you could do to immediately protect yourself if your Social Security Number was compromised.

Now it’s time to talk a little bit about what services are available that can immediately protect your sensitive systems from a similar type of attack.

Ready? Okay, let’s start with what exactly happened to Equifax and how this whole mess could have been avoided from the beginning

Equifax updated EquifaxSecurity2017.com on September 13, 2017 to let people know that a vulnerability in Apache Struts CVE-2017-5638 was exploited by hackers in mid-May to steal 143 million Social Security numbers, birthdays, addresses and driver license numbers.

Apache Struts is a framework used to develop web applications. Equifax employed the framework on their website. Apache Struts versions 2.3.x before 2.3.32 and 2.5.x before are prone to a remote code-execution vulnerability. Specifically, this issue affects the Jakarta based file upload multi-part parser. An attacker can exploit this issue on un-patched systems through a malicious Content-Type value.

Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application.

Apache released a patch in March to correct the issue, but Equifax didn’t deploy it. We don’t know that for sure, so don’t quote us. However, it seems likely to be the case. Apache commented on this in a well written blog post that we definitely recommend you read.

All that being said, we have to acknowledge a sad truth: the Equifax hack was completely avoidable. Had Equifax patched their instance of Struts, none of this would have happened.

So why didn’t they?

Brian Thomas has a few ideas on that.

“The reasons why companies don’t patch their systems are numerous, but top of that list is that business continuity, read commerce, generally trumps security,” he said. “On top of that, businesses often don’t employ proper vulnerability detection and patching procedures when it comes to critical vulnerabilities.”

Brian also suggested there was a chance Equifax didn’t even know about the vulnerability.

“In this instance, hypothetically, depending upon if or how often they perform vulnerability scans, they may not have even been aware of the problem,” he said.

What alternatives are there then? Cloudflare and CloudPassage.

When it comes to being a Managed Security Services Provider, cloud security is a big part of what we do. When the Equifax hack was announced we started asking this question around the office: could we, at that very moment, protect our clients from something similar?

The answer to that question is YES.

Both Cloudflare AND CloudPassage offer up services that would have blocked the exploit used by hackers in the Equifax hack.

Cloudflare has built in WAF rules for each of the Apache Strut vulnerabilities used in the Equifax hack. On top of that, CloudPassage and their Software Vulnerability Assessment (SVA) module regularly scans protected servers to detect known vulnerable packages.

Cloudflare’s enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.

Meanwhile CloudPassage’s SVA module scans and cross-reference the software installed on the servers against known vulnerabilities including the operating system, drivers, and applications. Information about installed packages is derived from the operating system’s package manager.

By default, SVA scans run automatically once per day and will flag vulnerabilities with a score of 5.0 or above as critical. Given the CRITICAL designation of this vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2017-9791), a security or operations team would have known that their infrastructure was in need of patching within 24 hours of the disclosure.

As an MSSP we understand the security limitations a business can face. Cost, availability and experience are all hard to come by. It’s why we leverage services like Cloudflare and CloudPassage in our every day operations. We trust them implicitly because when it comes to stuff like what happened at Equifax, they’re on the ball.

We leverage technology like this (and from other vendors) because they fit in with our Intelligence in Depth mentality. Intelligence in Depth allows us here at Integris the opportunity to protect our customers with an up to date, real time security solution. It allows our customers to focus on what matters; their business.

We’ll worry about your security so that you don’t have to.

Carl Keyser is the Content Manager at Integris.

Keep reading

A Personal Twist on Zero Trust Security

A Personal Twist on Zero Trust Security

The massive Australian data breach in late September inspires me to share a personal twist on Zero Trust Security. What makes this incident colossal? BBC News Australia reports, "Australian telecommunications giant Optus revealed about 10 million customers - about 40%...

4 Cybersecurity Takeaways from China’s Largest Data Breach

4 Cybersecurity Takeaways from China’s Largest Data Breach

Cybersecurity drama strikes again as human error leads to China's biggest data breach and perhaps the most significant hack of personal information in history. According to Threat Post, the incident was triggered after a Chinese government software developer wrote a...

The Business Impact of the AGCO Ransomware Attack

The Business Impact of the AGCO Ransomware Attack

On May 6, 2022, global agricultural equipment manufacturer and distributor AGCO announced they were victims of a ransomware attack. The cyber assault hit some of their production facilities on May 5. Restoring operations to normal will take several or more days. While...