CVE-2017-5638 Apache Struts vulnerability is the root cause behind Equifax data breach

It’s official, the Equifax data breach case was caused by the exploitation of the CVE-2017-5638 Apache Struts vulnerability.

The Equifax data breach case was solved, that incident was caused by the exploitation of the CVE-2017-5638 Apache Struts vulnerability. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.  Just after the experts from the Cisco Talos publicly disclosed it, proof-of-concept exploit code for  Metasploit was made available allowing anyone to launch public scans. The attacks leveraging the flaw spiked and in one case crooks leveraged on the flaw to deliver Cerber ransomware of the vulnerable servers.

The vulnerability was fixed back in March, but the company did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency.

The website of Equifax was updated only Wednesday while the company and law enforcement were investigating the incident.

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.” reads the statement published by the company on its website.

Shortly after the Equifax data breach, security experts pointed out different possible causes for the incident, including the possible exploitation of the recently fixed CVE-2017-9805 Apache Struts vulnerability or a still unknown zero-day flaw.

Last week, security researchers with the firm Baird published a report that supported the thesis of the exploitation of a Struts vulnerability for the hack but did not specify which one was used by hackers.

Jeff Williams, CTO of Contrast Security, on Saturday, suggested the CVE-2017-5638 was likely the root cause of the Equifax dart breach.

“The first vulnerability from March seems much more likely because it’s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,” Williams wrote, “The process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,” Williams.

Last week, the U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to investigate the security breach and verify cybersecurity safeguards adopted by the company.

“The volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,” Warner wrote, “In ways similar to the financial service industry’s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Struts CVE-2017-5638 RCE, Equifax)

[adrotate banner=”5″]

[adrotate banner=”13″]