The BluVector Threat Team is continuing to track new information about the Equifax hack. Equifax posted an update on its breach website, equifaxsecurity2017.com which includes the following: “Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts 2 which was made public on March 6, 2017. It allows attackers to inject operating system commands into a web application through the “Content-Type” header. The vulnerability was actively being exploited at the time it was publicly announced and had a Common Vulnerability Scoring System (CVSS) v3 base score of 10.0 (Critical).
Equifax advised that the breach occurred “mid-May,” which means that the vulnerability was unpatched for over two months before being exploited by the attackers, despite widespread coverage in the media at the time.
In a related story, journalist Brian Krebs reported that Hold Security reviewed Equifax’s South American websites: “It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: ‘admin/admin.'”