February 18, 2020
Learn how Chinese hackers compromised Equifax
February 18, 2020
The Equifax data breach of the summer of 2017 was one of the most impactful in recent history as it exposed sensitive data for as many as 143 million US consumers. It’s recently making the news yet again as the Justice Department just charged 4 Chinese military hackers for the breach. The full story of how this hack took place in the first place, however, is interesting and an example of how security negligence can result in costly repercussions and destroy brand image.
So how did the Equifax breach happen?
Equifax was breached through exploiting the web application vulnerability Apache Struts CVE-2017-5638. This flaw was fixed in March 2017 and was already under mass attack shortly afterwards. At this point the vulnerability was well known and organizations were told to update their applications with the patch. The Equifax breach, however, didn’t occur until May 2017, meaning that there was a failure to patch for two months, despite warnings.
This led to over a year of investigations about the scope of the attack and what information had been accessed. After that, a report was released by the U.S. House of Representatives Oversight and Government Reform Committee stating that the breach was completely avoidable. They also reported that there was a lack of accountability, management structure, as well as outdated IT systems and a failure to implement security measures.
Things moved fast when it came to exploitation, as is repeatedly seen. The researcher who found the vulnerability released proof of concept (POC) code on March 7th. The very same day, a contributor to Metasploit created a pull request with an exploit for it, and it was eventually merged into the framework on the 14th. The very same day, Tenable added signatures to detect this with Nessus.
Cisco Talos reported already on the 8th that the vulnerability was being actively exploited. This shows that anywhere from 0 to 24 hours after the vulnerability was disclosed publicly, it was already being exploited. Thanks to the release of exploit code to test your own systems with, it was also possible to exploit systems on the internet with little effort.
According to the indictment, this web server was exploited no later than May 13th by the Chinese Defendants. That’s 67 days. During that time, it seems unlikely that nobody else had exploited the host, given that exploit tooling was readily available from day 0. Indeed, the tools are so easy to use that anybody can use it with little technical background. You will see this in the mission we put together here at Adversary.
Who was to blame?
As a result of the breach the CEO, CIO, and CISO were all let go. Who is actually to blame in these situations, however, is a bit more complicated. The fault lies with many including the hackers themselves, the company, and the particular employees that failed to ensure the patch was done. After the release of the report, the former CEO actually threw one specific IT employee under the bus, blaming him for not ensuring communication to the right person to perform the patch.
The importance of keeping systems up to date
At the end of the day, however, no one person can be to blame other than the hackers themselves. That said, corporations have a responsibility to protect their customer data to the best of their ability from attackers. This is done in many ways, in this case by keeping systems up to date. Another big part of ensuring corporate cybersecurity, however, is through internal communication and education. If everyone takes security seriously, is aware of the potential repercussions, and how vulnerabilities can be exploited, the chances of a major breach like this one can be reduced.
Try hacking it yourself
So enough with the back story. Want to experience first hand how to exploit Struts2? Jump into this free mission courtesy of Adversary.
Adversary builds an online, hands-on secure coding training platform for development teams. Trainees take on the role of the hacker as they complete training missions, earn points, and advance to harder missions. This approach to learning helps companies minimize the risk of an attack by teaching software developers about why vulnerabilities such as the OWASP Top 10 arise and how to avoid them from occurring in the first place.