Apache Struts Security Flaw May Cause Equifax Breach
Equifax, the credit security agency that recently faced a massive security breach, is yet to reveal the reasons behind the hacking which shook the company and compromised the security of more than 143 million Americans. And now it is being suggested that a security flaw in Apache Struts framework, which is an open source software for building Java Web applications, was what the hackers had successfully exploited to carry out the security breach.
Only recently, Baird Equity Research, part of the financial services firm Baird, released a report on Equifax saying that the attackers had exploited a flaw in the Apache Struts computing platform. A copy of Baird’s report seen by Information Security Media Group states that, “Our understanding is that data entered – and retained – through consumer portals/interactions – consumers inquiring about their credit reports, disputes, etc. – and data around it was breached via the Apache Struts flaw”.
Jeff Williams, the CTO of Contrast Security, states on his company’s blog that the Apache Struts vulnerability could be either CVE-2017-5638 or the recently exposed CVE-2017-9805. He further goes on to state that it should most probably be the former, since it has been used widely and is also easier to exploit. Williams further goes on to add that, organizations across the globe have taken a long time – well over four months – in learning to deal with CVE-2017-5638 and points out this could well be the reason behind falling prey to such a massive security breach.
How is Apache Reacting to the Blame?
Apache has been quick to react and has released a statement which says,”We are sorry to hear the news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework”. The Apache Struts Project Management Committee further goes on to add that, “At this point in time it is not clear which Struts vulnerability would have been utilized, if any”.
The Apache Struts Project Management Committee further notes that, “We want to make clear that the development team puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention. Even if exploit code is known to us, we try to hold back this information for several weeks to give Struts Framework users as much time as possible to patch their software products before exploits will pop up in the wild”.
Apache also stresses the need for better patch management policies to be in place which can deploy the security fixes the company releases if not immediately “but within few days and not after weeks or months” like it is done usually.
Why Isn’t Equifax Offering Any Explanations?
It seems Equifax which is already facing a billion dollar lawsuit, does not want to worsen its situation further by exposing details which might work against them. According to information security expert William Hugh Murray, “Counsel is advising them not to say anything lest they invite litigation and give evidence against their interest”. He further goes on to add that, “FBI is telling them not to say anything that might disclose to targets of investigation what they, the investigators, do and do not know”.
Hackers Will Monetize The Stolen Data
Since Equifax is a credit security agency, which deals with the sensitive information like name, date-of-birth, residential address, social security number etc., belonging to over 800 million individual consumers, the hackers are expected to reap massive benefits by making use of this stolen data.
According to Gartner analyst, Avivah Litan, the hacking enables the hackers to make some easy money using the following four ways:
- By reselling the stolen data
- By updating existing stolen records available amongst cyber-criminal community
- By taking control of existing accounts like bank accounts, phone accounts etc., using the stolen data
- By selling the data to those who wish to conduct cyber-espionage-related activities
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.