Equifax Breach Due to Not Patching Critical Apache Struts 2 Flaw
Posted by: Jon Ben-Mayor on 09/14/2017 08:26 AM
[
Comments
]
Everyone at this point has heard about the major Equifax breach that took place in July and was only divulged earlier this week, in which potentially over 143 Million people have been compromised. As if that is not enough, there are all the epic web site failures by Equifax in the following days as well as the questionable sale of stock by execs days "before" the discovery of the breach.
Equifax released the following statement on their web page that reads;
"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted," the company officials wrote in an update on the website with a new "A Progress Update for Consumers."
"We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."
For those unfamiliar with Apache Struts 2, here are the details - It is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework spun off from Apache Struts aiming to offer enhancements and refinements while retaining the same general architecture of the original Struts framework. In December 2005, it was announced that WebWork 2.2 was adopted as Apache Struts 2, which reached its first full release in February 2007.
The issue here with this particular travesty was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could (did) allow an attacker to execute malicious commands on the server when uploading files based on the parser. Apache warned that code execution was a genuine possibility which was obviously ignored at our expense.
So going forward Equifax wants you to protect yourself via their site. Fool me once... We have had some experience (as most probably have) with attempting to navigate the somewhat phishy-looking Equifax page. And at one point during the first few days after the news broke, we entered in false info six separate times (just out of curiosity) and received a different answer each time on whether or not we had been affected. It is probably the best bet to err on the side of caution and just assume that you have been affected and take appropriate steps to protect yourself. Personally, I opted to do credit freezes rather than set up credit monitoring through the company that already failed fantastically but that's me. Credit Karma does a good job of monitoring your reports and provides various other services as well.
Here are the direct numbers for those wishing to do credit freezes. Some states have a charge associated with activating, lifting, and removing a credit freeze and are listed on each of their pages. Colorado, Indiana, Maine, New Jersey, New York, North Carolina and South Carolina are the only states that do not have a fee to place a credit freeze.
Equifax: 1-800-349-9960 or https://www.freeze.equifax.com/
Transunion: 1-888-909-8872 or https://freeze.transunion.com/
Experian: 1-888-397-3742 or https://www.experian.com/ncaconline/freeze
The two below are important as well and often overlooked for the more (in)famous "top three."
Innovis: 1-800-540-2505 or https://www.innovis.com/securityFreeze
ChexSystems: 1-800-887-7652 or 1-888-478-6536 or https://www.chexsystems.com/web/chexsystems/consumerdebit/page/securityfreeze/placefreeze/
Feel free to verify them before using - we understand and won't be offended.
Good luck, everyone.
Source: The Hacker News
Equifax released the following statement on their web page that reads;
"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted," the company officials wrote in an update on the website with a new "A Progress Update for Consumers."
"We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."
For those unfamiliar with Apache Struts 2, here are the details - It is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework spun off from Apache Struts aiming to offer enhancements and refinements while retaining the same general architecture of the original Struts framework. In December 2005, it was announced that WebWork 2.2 was adopted as Apache Struts 2, which reached its first full release in February 2007.
The issue here with this particular travesty was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could (did) allow an attacker to execute malicious commands on the server when uploading files based on the parser. Apache warned that code execution was a genuine possibility which was obviously ignored at our expense.
So going forward Equifax wants you to protect yourself via their site. Fool me once... We have had some experience (as most probably have) with attempting to navigate the somewhat phishy-looking Equifax page. And at one point during the first few days after the news broke, we entered in false info six separate times (just out of curiosity) and received a different answer each time on whether or not we had been affected. It is probably the best bet to err on the side of caution and just assume that you have been affected and take appropriate steps to protect yourself. Personally, I opted to do credit freezes rather than set up credit monitoring through the company that already failed fantastically but that's me. Credit Karma does a good job of monitoring your reports and provides various other services as well.
Here are the direct numbers for those wishing to do credit freezes. Some states have a charge associated with activating, lifting, and removing a credit freeze and are listed on each of their pages. Colorado, Indiana, Maine, New Jersey, New York, North Carolina and South Carolina are the only states that do not have a fee to place a credit freeze.
Equifax: 1-800-349-9960 or https://www.freeze.equifax.com/
Transunion: 1-888-909-8872 or https://freeze.transunion.com/
Experian: 1-888-397-3742 or https://www.experian.com/ncaconline/freeze
The two below are important as well and often overlooked for the more (in)famous "top three."
Innovis: 1-800-540-2505 or https://www.innovis.com/securityFreeze
ChexSystems: 1-800-887-7652 or 1-888-478-6536 or https://www.chexsystems.com/web/chexsystems/consumerdebit/page/securityfreeze/placefreeze/
Feel free to verify them before using - we understand and won't be offended.
Good luck, everyone.
Source: The Hacker News
Comments
