Falling Struts: Examining Equifax’s Breach

Originally posted: Tue, 11 Feb 2020 14:54:55

N.B. This was a paper I wrote for my degree course, giving my view of the disaster that was Equifax. I've just read that the US DoJ has decided to pin the attack directly on China and is levelling charges against Chinese citizens for the breach. I also haven't clarified what Equifax have done to remedy their many, many issues: this is because as far as I can tell, they've done very little.

Abstract— In the Spring of 2017, Equifax suffered multiple breaches of security, which lead to a 76-day access period to, and possible theft of nearly 150m records of PII, belonging to people in 3 different countries. This paper looks at the how the breaches happened, and what could have been done to prevent them.

I. Introduction

To understand fully the breach and its ramifications, this paper will examine 4 major aspects of this incident: 1) the company, Equifax; 2) the technical nature
of the breach and possible data theft; 3) how it could have been prevented; 4) and finally, the consequences of the breach and why they matter in the broader picture of security.

This analysis will consider how both technical competency and controls, and human competence (or lack, thereof) played a role in both the breach, and the handling of the fallout, thus highlighting the need for organisations to take a more security-focused posture to prevent further occurrences of data breaches, and loss of reputation.

Despite not being the biggest breach of 2017 (Yahoo! takes that title at having 3 billion accounts compromised), this attack does have several notable features, including the speed of attack (initial breach took place within 24 hours of the exploit being released); the length of the attack (76 days unadulterated access); and the lengthy response time of Equifax (146 days from release to patch being applied). These factors, as well as some legally questionable actions from the management team, leave Equifax a study in InfoSec gone wrong for years to come.

II. Equifax

A. Who are Equifax?

Equifax are a US-based Consumer Reporting Agency (CRA), although they operate across the globe [1]. While Equifax also employ data analytics for consumer, government and business markets [2], the relevant capacity for this incident is the CRA. A CRA is a credit agency, meaning that as a company, they hold large amounts of Personally Identifiable Information (PII) on millions of people, for the purpose of identifying, monitoring and improving their credit ratings. These credit ratings are then sold on to, and used by, many other companies to determine the financial viability of prospective customers.

B. Why is this important?

It is important to note that this breach took place in the USA, and that PII for consumers in the UK were also affected by this breach and theft. The first is important as the US, and Equifax, were judged to “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” [3], under the Data Protection Act (1998)1. The relevance of the second is to do
Fig. 1 CIA Triad[4]
with compliance and prosecution under UK law, the aforementioned DPA(1998). From a security perspective, good security practices should have been in place, and procedures followed, as the data being stored and processed here needed to be kept Confidential, and its Integrity was crucial. While it can be argued that the third leg of the CIA triad (see Figure 1), Availability, was also important to their operations, with either of the first 2 compromised, Availability was negligible.

III. Incident Overview

A. Brief Breach Timeline

As alluded to in the Abstract, there were 2 breach incidents, despite only one being the focus in subsequent investigations. The first breach appears to have been a trial run, although this attack is disputed by Equifax. According to 2 sources [2, p. 8] [5], Equifax was initially breached on 10th March 2017, using an exploit [6] created only days before. This Remote Code Execution (RCE) was created to exploit a vulnerability within the Apache Struts web application framework [7] [8]. Said vulnerability is one that had been known about, and had a patch released to remedy it, since 6th March 2017.

At this stage of compromise, it does not appear that the hackers took any further action until 13th May 2017. From this date until 30th July 2017 (76 days), the hackers gained access through Equifax’s Automated Consumer Interview System (ACIS) and performed thousands of queries on multiple sensitive databases throughout Equifax’s digital estate. The breach and unauthorized accesses went unnoticed until 29th July, which was patched a day later. It would further take until 7th September for the public to be notified of this incident
[2 p.9-11] [9].

1 GDPR was not applicable in this case as the legislation did not pass into active legal status until 2018

B. Other Notable Actions

After the announcement of the Common Vulnerabilities and Exposures (CVE) relevant to Apache Struts (CVE-2017-5638), Equifax’s internal InfoSec team released a notification that all systems relying on it should be patched, as per their 48-hour policy. This was forgotten by a member of the team, and not picked up on by other staff [13].After their first breach, Equifax did run a vulnerability scan, which found nothing (not even the unpatched vulnerability) [10].Security company Mandiant were brought in to investigate the breach internally, and the FBI were notified [2 p. 10].In the immediate aftermath, Equifax setup a website to help those possibly affected, but on their Twitter account repeatedly linked to a phoney website [12] Up to 145 million Americans, 19,000 Canadians [14], and 15 million Britons [15] were affected by the breach

VI. Breach Detail

Despite the flaws in the model, namely the first two links being difficult-to-impossible to either protect against, or model accurately post-incident without a
confession, Lockheed Martin’s Cyber Kill Chain® 16 does lend itself well as an analytical tool with which to dissect an attack.

Fig. 2 Lockheed Martin’s Cyber Kill Chain® [17]

In this case, the second phase, Weaponisation, can be understood by looking at the vulnerability and known exploits. However, any analysis of the preparation phase, Reconnaissance, will consist largely of speculation synthesised from other attacks allegedly committed by the alleged cyber-criminals responsible.

A. Alleged Hackers Responsible

Despite 2 years since the attack and exfiltration, no individual hacker, nor criminal organisation, hacktivist collective, known APT (Advanced Persistent Threat), nor nation-state have claimed responsibility for the Equifax breach.

Attribution is a common problem with any cyber-attack, particularly as any indicators can be faked or obscured. In this case, while no official body has pointed fingers directly at anyone, Bloomberg have suggested China a likely culprit, suggesting similarities with other attacks of a like nature [18]. While there does seem to be at least motivation justification for this, no further information suggesting this claim is correct (or incorrect) has been made available. Motive will be discussed later in this paper.

B. Reconnaissance

Without complete attribution, it is difficult to understand how the hackers came to target Equifax in particular. Two possibilities exist:

1) The attackers had already decided on Equifax as a target, either for their own purposes, or as part of an agreement with an external party;
Or
2) Using random IP enumeration, the hackers found Equifax vulnerable and decided to launch their attack based on the first “hit” they had.
Whichever of these option describes the motive of the bad actors, the tool used was likely to have been the vuln struts2 package [19], part of the popular exploit framework, Metasploit [20].

C. Weaponisation, Delivery, & Exploitation

This module breaks down into two parts: Reconnaissance and Attack. The reconnaissance aspect allows for a user to enter an IP address and port number, which will then be checked for the vulnerability.

The second part of the strutscodeexec_jakarta exploit module takes advantage of the flaw in the exception handling of the Content-Type value. The invalid value data that should be displayed in the error message, is instead parsed to the Object Graph Navigation Library (OGNL) [19, comment: tseller-r7] [21].

Using a properly crafted payload, OGNL’s blacklisted class method functionality can be completely bypassed, allowing an attacker to execute code to reach a system shell, and then further compromise the system. This is achieved by clearing out the exception list, leaving nothing to be compared to, rendering the blacklist neutered 22.

Using a specially designed Content-Type HTTP header with a specific string (in this case ‘#cmd=’, to launch command shells), it would have been easy for the hackers to take control of the server [23].

It follows that it is likely the attacker didn’t create or weaponise this exploit themselves, but used the freely available one in Metasploit. Although Equifax contest this, it is not unreasonable to propose that this part of the infiltration, the breach itself, took place on the 10th March, 2 months before beginning their objectives run. While it may seem unlikely attackers would breach a target this early, getting a foothold inside the system allows for a certain amount of control and foresight – had Equifax realised they had been breached and patched, the criminals could have reacted better rather than having to start the process from the beginning and finding another entry point.

Even if this was not the case, the hackers had still managed a successful dry run that provided proof of concept for later attempts, either on Equifax’s systems, or another, similarly security-lax network.

Content-Type: ${(#_='multipart/form data').(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear
Content-Length: 0

Figure 3: Sample exploit payload request, with blacklist clearing in bold [22]

D. Installation & C2

During this phase of an attack, the bad actors usually install some form of malware, like a Trojan or RAT, to establish a persistent connection. The Chinese connection has been made due to the use of malware known as China Chopper, a web shell designed for persistent control for webservers, as well as having several C2 features such as code obfuscation [26].

It has also become apparent that the attackers may not have had to go to such lengths to accomplish persistence.

As revealed during a class-action lawsuit against Equifax, a portal for credit disputes, that stored PII, was protected solely by the username/password combination of “admin/admin”. [24].

E. Actions on Objectives

Whether or not persistence had been maintained from the March attempt, the cyber-criminals had complete access to several databases containing over 160 million people’s records. Over 9,000 queries have been acknowledged by Equifax to have been made [1, p.9].

It is either unknown or unreported how much, if any data was exfiltrated from the databases, but with that many searches being made, it would be naïve to ignore the possibility. What is known is that none of the data has shown up on any sites, on the indexed web nor the dark web, for sale.

V. Motivation

As mentioned earlier, there is no known definitive proof to reveal a culprit. However, some speculation can be made based on the events and using logic extrapolated from this information.

Current thinking contends that this was the work of a nation-state, like China, to accomplish one (or more) of several aims, including:
1) Use of financial data to identify current US intelligence workers [25];
2) To identify possible double agents through blackmail or extortion;
3) Aiding economic warfare through using the data to model consumer trends;
4) Theft of Equifax Intellectual Property
5) Build a “data lake” to track government and intelligence workers

Other options could include competitor action, either industrial espionage or sabotage, that went too far. It is also possible that it was a script kiddie who got in over their heads.

VI. Equifax Failures

While malicious actors are the only ones to blame for committing criminal acts, Equifax must also be held to account for their many failures and blunders in this breach.

A. Halting the Breach

It should be noted that this breach could have been halted at anytime, and should never have happened (at least in this manner) at all.
The patch for vulnerability CVE-2017-5638 had been released several days before the March breach. This had even been noted by Equifax’s InfoSec team, who had sent instructions that this patch be applied, as per company policy, within 48 hours. This was missed by one employee, and wasn’t carried out. Mistakes happen all the time, however this should have been caught by other team members, management, and even the InfoSec team themselves, but it was missed.

When a vulnerability scan was conducted days after the March incident, the vulnerability was not even seen, implying that the techinque used was old, or the signatures used were out-of-date. Again, at this point the missed patch should have been caught, as it should have been noticed as missing from the scan.

B. During Breach

For 76 days, no alarms were tripped, no suspicious activity was logged, while millions of records were compromised. This implies a serious lack of access controls on user accounts and databases, as well as no monitoring on systems containing sensitive information.

Another measure that could be applied here are canary tokens or honeypots [27] [28].

C. Post Breach

To give information to the public after the breach was announced, Equifax setup a website, equifaxsecurity2017.com. On it’s Twitter account, the company relayed the address as securityequifax2017 no less than 8 times[12].

During a class action lawsuit against Equifax, it has been revealed that the company were also storing unencrypted PII, on a public-facing server, that also contained the encryption keys for those data that were encrypted [24].

Conclusions

Data breaches and cyber-attacks have rapidly become a fact of existence for organisations and individuals alike in the 21st Century. Increasing legislation and regulations are being drawn up to ensure that the security of the CIA triad is embedded within the ethos of a company.

Equifax’s many failings, technical, procedural, and human, contributed to making what should have been a one-off, lucky knock on the digital door, into one of the most expensive, most publicised and publicly humiliating incidents the world had seen up to 2017.

However, the only real damage done to the firm was in the eyes of those who launched the class-action suit, and the professional security community. Somehow, despite 3 of the C-Suite retiring (with generous golden handshakes), the company still maintained governmental contracts and carried on business, almost as normal.

If there are lessons to be learned here, then they are to constantly review your security, follow a recognised framework, and it is cheaper to secure than to pay out $700+ million in damages.

References

[1]U.S. House of Representatives Committee on Oversight and Government Reform, "The Equifax Data Breach", Committee on Oversight and Government Reform, Washington, D.C., 2018.
[2]"Company Profile | About Us | Equifax UK", Equifax.co.uk, 2019. [Online]. Available: https://www.equifax.co.uk/about-equifax/company-profile/en_gb. [Accessed: 28- Nov- 2019].
[3]Data Protection Act 1998, vol. HM Government, 1998.
[4]The Informed Future Team, CIA Triad. 2019.
[5]M. Riley, A. Sharpe and J. Robertson, "Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed", Bloomberg.com, 2017. [Online]. Available: https://www.bloomberg.com/news/articles/2017-09-18/equifax-is-said-to-suffer-a-hack-earlier-than-the-date-disclosed. [Accessed: 28- Nov- 2019].
[6]V. Woo, "Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution", Exploit Database, 2017. [Online]. Available: https://www.exploit-db.com/exploits/41570. [Accessed: 28- Nov- 2019].
[7]"CVE -CVE-2017-5638", Cve.mitre.org, 2017. [Online]. Available: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638. [Accessed: 28- Nov- 2019].
[8]"Welcome to the Apache Struts project", Struts.apache.org, 2018. [Online]. Available: https://struts.apache.org/. [Accessed: 28- Nov- 2019].
[9]"Equifax Breach Timeline — GracefulSecurity", Gracefulsecurity.com, 2017. [Online]. Available: https://www.gracefulsecurity.com/equifax-breach-timeline/. [Accessed: 28- Nov- 2019].
[10]R. Chirgwin, "Equifax couldn't find or patch vulnerable Struts implementations", Theregister.co.uk, 2017. [Online]. Available: https://www.theregister.co.uk/2017/10/02/equifax_ceo_richard_smith_congressional_testimony/. [Accessed: 28- Nov- 2019].
[11]I. Thompson, "Equifax execs sold shares before mega-hack reveal. All above board – Equifax probe", Theregister.co.uk, 2017. [Online]. Available: https://www.theregister.co.uk/2017/11/03/equifax_share_trade_investigation/. [Accessed: 28- Nov- 2019].
[12]E. Kovcs, "Equifax Sent Breach Victims to Fake Website | SecurityWeek.Com", Securityweek.com, 2017. [Online]. Available: https://www.securityweek.com/equifax-sent-breach-victims-fake-website. [Accessed: 28- Nov- 2019].
[13]A. Glenn, "Equifax: Anatomy of a Security Breach", BBA(Hns), Georgia Southern University, 2018.
[14]T. Press, "Equifax doubles number of Canadians hit by breach, now more than 19,000 | CBC News", CBC, 2017. [Online]. Available: https://www.cbc.ca/news/business/equifax-canadians-affected-update-1.4424066. [Accessed: 29- Nov- 2019].
[15]C. Williams, "Oi, you. Equifax. Cough up half a million quid for fumbling 15 million Brits' personal info to hackers", Theregister.co.uk, 2018. [Online]. Available: https://www.theregister.co.uk/2018/09/20/equifax_ico_fine/. [Accessed: 29- Nov- 2019].
[16]"Gaining the Advantage", Lockheedmartin.com, 2015. [Online]. Available: https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf. [Accessed: 29- Nov- 2019].
[17]Lockheed Martin, Cyber Kill Chain. 2015.
[18]M. Riley, J. Robertson and A. Sharpe, "The Equifax Hack Has the Hallmarks of State-Sponsored Pros", Bloomberg.com, 2017. [Online]. Available: https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros. [Accessed: 29- Nov- 2019].
[19]"CVE-2017-5638 - Apache Struts2 S2-045 · Issue #8064 · rapid7/metasploit-framework", GitHub, 2017. [Online]. Available: https://github.com/rapid7/metasploit-framework/issues/8064. [Accessed: 29- Nov- 2019].
[20]Metasploit. Rapid7, 2017.
[21]A. org, "OGNL - Apache Commons OGNL - Object Graph Navigation Library", Commons.apache.org, 2013. [Online]. Available: https://commons.apache.org/proper/commons-ognl/. [Accessed: 29- Nov- 2019].
[22]E. Rafaloff, "GDS - Blog - An Analysis of CVE-2017-5638", Blog.gdssecurity.com, 2017. [Online]. Available: https://blog.gdssecurity.com/labs/2017/3/27/an-analysis-of-cve-2017-5638.html. [Accessed: 29- Nov- 2019].
[23]G. Duan, "Equifax Data Breach Analysis: Container Security Implications - NeuVector", NeuVector, 2017. [Online]. Available: https://neuvector.com/container-security/equifax-data-breach-analysis/. [Accessed: 29- Nov- 2019].
[24]K. O' Flaherty, "Equifax Lawsuit: ‘Admin’ As Password At Time Of 2017 Breach", Forbes.com, 2019. [Online]. Available: https://www.forbes.com/sites/kateoflahertyuk/2019/10/20/equifax-lawsuit-reveals-terrible-security-practices-at-time-of-2017-breach/. [Accessed: 29- Nov- 2019].
[25]K. Fazzini, "The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme", CNBC, 2019. [Online]. Available: https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html. [Accessed: 29- Nov- 2019].
[26]"Web Shells: China Chopper", Canadian Centre for Cyber Security, 2018. [Online]. Available: https://cyber.gc.ca/en/guidance/web-shells-china-chopper. [Accessed: 29- Nov- 2019].
[27]"Canarytokens.org - Quick, Free, Detection for the Masses", Blog.thinkst.com, 2017. [Online]. Available: https://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html. [Accessed: 29- Nov- 2019]
.[28]"What is a honeypot? How it can lure cyberattackers", Us.norton.com, 2017. [Online]. Available: https://us.norton.com/internetsecurity-iot-what-is-a-honeypot.html. [Accessed: 29- Nov- 2019].


You'll only receive email when they publish something new.

More from BastardAcademic
All posts