[BreachExchange] Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup

[Inga Goddijn]

https://www.riskbasedsecurity.com/2017/09/equifax-breach-ambulance-chasing-fireeye-and-a-news-roundup/

This is the fifth blog in the running series on the Equifax data breach.

   1. Equif*@#$d: Equifax Breach Response Off To A Rough Start
   <http://www.riskbasedsecurity.com/2017/09/equifd-equifax-breach-response-off-to-a-rough-start/>
   2. Equifax Breach: Legal, Vulnerability Blame Game, and the Big
   Technical Debacle
   <http://www.riskbasedsecurity.com/2017/09/equifax-breach-legal-vulnerability-blame-game-and-the-big-technical-debacle/>
   3. Equifax Breach: EULAs, Size Doesn’t Matter, and Where’s The Data?
   <http://www.riskbasedsecurity.com/2017/09/equifax-breach-eulas-size-doesnt-matter-and-wheres-the-data/>
   4. Equifax Breach: The Bigger Picture, Identity, Impact, and Advice
   <http://www.riskbasedsecurity.com/2017/09/equifax-breach-the-bigger-picture-identity-impact-and-advice/>
   5. Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup
   <http://www.riskbasedsecurity.com/2017/09/equifax-breach-ambulance-chasing-fireeye-and-a-news-roundup/>

------------------------------
As you might expect, many in the technology field have already received
marketing mails from security companies claiming that their technology or
solution would have stopped the Equifax breach if they had been involved.
Even before we actually knew 100% how Equifax was breached (it had not yet
been confirmed it was in fact an unpatched Apache Struts vulnerability),
the emails stated that their technology could have stopped it.

The most curious of these types of emails are when other service providers
that are not associated with Equifax feel the need to email their
customers. In one case, LastPass emailed to say they aren’t affected but
shared the Equifax press release. It has prompted some to ask, “why tf is
LastPass emailing me to tell me my LastPass account isn’t affected by the
Equifax breach?” One journalist describes the ambulance chasing emails to
number in the hundreds. And to be clear, while this is the most recent spam
wave, this isn’t the first time we have seen a major breach being used as a
marketing campaign. We all remember the numerous emails going around
claiming their security products would have stopped the Snowden leaks even!

How Equifax Was Breached

After speculation and unfounded claims, Equifax has officially confirmed
that an Apache Struts flaw was in fact used to compromise them in this
breach. As suspected, it was not one of the Struts vulnerabilities
disclosed this month, rather, ‘Struts-Shock’ (CVE-2017-5638) disclosed in
March 2017. While some will be eager to say “told you so” there is still a
lot more to consider.

First, we should not yet believe that only one individual or group
exploited the vulnerability and grabbed the data. With an Internet facing
server vulnerable to a high-profile vulnerability with public exploit code,
we have to assume that there is the potential that more than one party
exploited it. Equifax says that they discovered the breach on July 29th,
but we know that the Struts-Shock exploit code was published on March 9th.
That means that Equifax did not patch the vulnerability for as many as 142
days. We don’t know if it was patched and the breach noticed afterwards, or
if the breach was noticed and the vulnerability patched as a result.

Second, there has been more fallout on the topic of Equifax’s digital
security hygiene and footprint. Per Twitter user ‘ThreatPinch’, at least
135 IP addresses belonging to Equifax are still affected by the HeartBleed
vulnerability which was disclosed on April 7, 2014. If Equifax has that
many public-facing servers that have not been patched to a three year old
vulnerability, we have to assume that whoever is responsible for the latest
breach is not the only one, and likely not part of that exclusive of a
club. Brian Krebs reports that an Equifax employee portal for managing
credit disputed in Argentina had to be shut down yesterday due to it using
a login and password of ‘admin’. Last, in looking at our own Cyber Risk
Analytics ratings for Equifax, they have been rated below a full star for
well over a year. We take data from numerous sources to calculate a rating
which can be used to better understand the cyber hygiene of an organization
and the likelihood of a future data breach. Given everything that we know
and can easily see about their history, it isn’t a shock that Equifax has
had yet another data breach.

Regardless of the subsequent fallout, it is absolutely great that the
public knows how Equifax was compromised. That is a missing bit of
information in a large majority of breaches, yet one data point that could
better help other companies know which vulnerabilities are being actively
targeted, and help prioritize remediation efforts.

Curious Relationship Between FireEye/Mandiant and Equifax

Finally, ZDNet reports that Equifax has enlisted FireEye-owned Mandiant for
its incident response to this breach. This is another curious move since
Equifax’s CSO was quoted in 2012 saying the  “zero-day and targeted attacks
that evade some of the simpler defenses are where you are going to need a
next-generation product [..] by far, FireEye detected and kept us secure
from these issues.” In fact, this statement was part of a FireEye
whitepaper that was advertised on their site and now have been quickly
removed after news of the breach hit.


While we can only assume that Equifax is still using FireEye products, it
does raise an eyebrow about the effectiveness of a product or the
deployment when it boasts about stopping “zero-day and targeted attacks”
but somehow misses a public remote code execution flaw in a highly deployed
web framework.

If that wasn’t enough oddity for one blog update, Twitter user ‘x0rz’
pointed out that a Mandiant employee appears to have registered “equihax.com”
two days before Equifax announced the breach publicly. The website
currently has nothingon it, but the domain does in fact show it is
registered to a “Brandan Schondorfer”, whose LinkedIn profile is now
returning a 404. But we can see that Google shows that he is an incident
response consultant at Mandiant (a FireEye Company).


As we continued poking around Google looking at the cached profile, we
stumbled across something else interesting! While Brandan’s cached LinkedIn
profile currently does not exist anymore, we were able to find his current
profile since the LinkedIn URL has the same identifier “44933668” in it. It
appears that Brandan has recently renamed his LinkedIn profile to drop his
last name:


Additionally, it seems that Brandan has removed his Twitter account as well
as what may be his Facebook account (but oddly, not his MySpace or
SoundCloud pages!):


It’s difficult to say why a Mandiant employee would register that domain
without anonymous registration, especially ahead of the public
announcement, when Equifax is a customer of theirs. Some have stated that
it was possibly to prevent phishing domains from being registered. Others
have also jumped in and agreed that Brandan was just performing a
rear-guard action, buying up all the domains that others may use to mock
Equifax for the breach. But it was also mentioned that he was sloppy by
registering under his own name and is probably being mocked at work by his
peers as this move required Equifax to disclose who they were using for the
incident response.

Regardless if this was a Mandiant-sanctioned domain registration, based on
the name change in the LinkedIn profile and what appears the removing of
other social media accounts, it seems that the mistake has been realized.

While this may seem off topic, a curiosity for any data breach is when did
the affected organization actually know about the issue and when did they
engage outside assistance. As expected, we can more readily acknowledge
with some degree of certainty that FireEye was engaged before the
announcement and assisted with the initial assessment.

Update Roundup

Five days after any news-saturating breach, we typically get to a point
where many of the prior topics covered in this blog begin to be examined in
more detail. Like loose threads, various people will follow them and cover
each in greater detail, examine additional points, and explore new ideas on
the topics. It is easy to go down these rabbit holes because there is often
promise of interesting and impactful observations that can help us better
understand the situation. Rather than try to visit each of these rabbit
holes, we’d like to share some of the updates and new developments in a
more succinct manner:

Zeynep Tufekci has written an opinion piece titled “Equifax’s Maddening
Unaccountability” for the NYTimes that may echo sentiments from many
impacted.
Richard Blumenthal, a Senator from Connecticut, has written an open letter
(PDF) to the CEO of Equifax strongly recommending they offer a better
response to those affected, including longer credit monitoring, waive all
fees, and more.
In response to the Consumer Financial Protection Bureau (CFPB), the
Consumer Data Industry Association (CDIA) on behalf of Equifax, pressed
regulators to remove parts of the regulations that better protect victims
of data breaches. Some are speculating that with the Consumer Financial
Protection Bureau (CFPB) investigating Equifax after the breach, it may
influence the deregulatory efforts. Ultimately, all of this may end up
landing at the feet of the President and Congress.
The Dark Web site claiming to sell the Equifax data has been shut down
after researchers exposed information about it.
According to Will Long, Experian is airing a commercial for an information
privacy product during an NFL game… days after the Equifax breach
announcement.
Brian Schatz observes that if half of those impacted by the Equifax breach
sign up for a credit freeze, then Equifax will make ~ $700 million dollars
on the fees to do so.
After public pressure, Equifax quickly removes fees for victims asking for
a credit freeze.
A chat bot, software designed to walk you through a task (e.g. technical
support), originally designed to help with arguing parking tickets in court
has been repurposed to help you sue Equifax for up to $25,000 without
hiring a lawyer. Welcome to the future!
After the breach, “Standard & Poor’s has placed Equifax’s credit rating on
outlook ‘negative’” according to TheStreet.
Prior to the disclosure of the data breach, Equifax’s market value stood at
$17.2 billion. Its market cap has since declined by about $4.9 billion, to
$12.3 billion.
Equifax CEO Richard Smith will testify before a special House panel about
the Equifax security breach on October 3.

As always, RBS will continue to monitor the news and fallout from this
breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170915/fa42a262/attachment.html>