[BreachExchange] Attackers Made 9, 000 Unauthorized Database Queries in Equifax Hack: Report

Mon Sep 10 21:24:56 EDT 2018

https://www.securityweek.com/attackers-made-9000-unauthorized-database-queries-equifax-hack-report

It took Equifax 76 days to detect the massive 2017 data breach,
despite the fact that attackers had conducted roughly 9,000
unauthorized queries on its databases, according to a new report from
the U.S. Government Accountability Office (GAO).

In mid-May 2017, malicious actors exploited a known vulnerability in
the Apache Struts development framework to gain access to Equifax
systems. The company said the breach affected roughly 145 million
customers – mostly in the U.S., but also in Canada and the United
Kingdom. The incident resulted in social security numbers, dates of
birth, email addresses, addresses, driver’s license numbers, payment
cards, dispute documents, and other data getting compromised.

Now, roughly one year after the breach came to light, the GAO
published a report detailing the Equifax breach. The agency’s report,
commissioned by several U.S. senators and representatives, is based on
documents from Equifax and the cybersecurity consultants called in by
the company following the breach, public statements filed by Equifax,
and documents from the Internal Revenue Service (IRS), Social Security
Administration (SSA), and U.S. Postal Service (USPS).

According to the GAO report, attackers started scanning Equifax’s
systems for the Struts vulnerability just a few days after the
existence of the security hole was made public. One of the affected
systems was an online dispute portal, on which the attackers gained
the ability to execute system-level commands. That enabled them to
start querying tens of databases in an effort to find personally
identifiable information (PII).

Equifax’s security systems not only failed to detect the Struts
vulnerability in the online portal, they also failed to detect the
attackers once they gained access.

The GAO says the hackers executed roughly 9,000 database queries, some
of which returned personal information. The breach was ultimately
detected by the company’s security team during routine checks.

“As reported by Equifax, a network administrator conducting routine
checks of the operating status and configuration of IT systems
discovered that a misconfigured piece of equipment allowed attackers
to communicate with compromised servers and steal data without
detection. Specifically, while Equifax had installed a device to
inspect network traffic or evidence of malicious activity, a
misconfiguration allowed encrypted traffic to pass through the network
without being inspected,” the GAO report reads.

The misconfiguration was caused by a digital certificate that had
expired 10 months before the breach occurred, which allowed the
attackers to run commands and exfiltrate data over an encrypted
connection without being detected.

The investigation that followed the breach also revealed that the
credit reporting agency had failed to implement proper network
segmentation, enabling malicious actors to access many databases
beyond those related to the online dispute portal that they initially
hacked.

Another problem highlighted in the report is related to the fact that
credentials for accessing multiple databases were stored without being
encrypted in one database that the attackers accessed.

The GAO pointed out that the 9,000 queries run by the attackers showed
the lack of restrictions for the frequency of database queries – the
number of queries conducted for normal operations would have been much
smaller.

The report notes that the IRS, SSA and USPS, which conducted their own
investigations into the incident, made some modifications to their
contracts with Equifax – they changed notification requirements for
future breaches – and the IRS even terminated one of its contracts.

However, following the GAO report, many rushed to point out that no
real actions were taken against Equifax.

The Consumers Union, the advocacy division of Consumer Reports, noted
that not much has changed since the incident became public.

“Americans remain largely in the dark about the practices of the
credit reporting industry—and, more generally, largely unable to
control the use of their personal information,” the organization said.
“Equifax itself has suffered minimal consequences and continues to do
business more or less as before. And the legal and regulatory system
governing the credit reporting industry and data security more broadly
remains inadequate, despite some recent progress.”

Senator Elizabeth Warren, one of the officials who commissioned the
GAO report and who a few months ago published a report of her own,
commented, “One year after they publicly revealed the massive 2017
breach, Equifax and other big credit reporting agencies keep profiting
off a business model that rewards their failure to protect personal
information - and the Trump Administration and Republican-controlled
Congress have done nothing.”