What we know about the Equifax massive data breach thus far.
The massive Equifax data breach that exposed highly sensitive data of as many as 150 million people was caused by exploiting a flaw in Apache Struts framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed.
Apache Struts Flaw
For those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.
Credit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. Rated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 220.127.116.11.
Despite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of nearly half of the US population.
“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,” the company officials wrote in an update on the website with a new “A Progress Update for Consumers.”
“We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
CVE-2017-5638 was a then-zero-day vulnerability discovered in the popular Apache Struts web application framework by Cisco’s Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. Equifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people’s information.
While the company was initially criticized for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.