A US GOVERNMENT REPORT looking into the 2017 Equifax breach (PDF), in which the sensitive personal details of more than 145 million people were stolen, has uncovered evidence of a dysfunctional IT department that failed to take security seriously.
The report, by the Government Accountability Office (GAO), reveals that the attackers initially breached Equifax's online dispute portal, but were able to gain access to the organisation's database for a period of almost three months due to poor security, such as failing to identify software that needed to be patched and ensuring that critical security equipment was functioning properly.
The initial breach was due to the company failing to patch the Apache Struts 2 framework running on the online dispute portal. Evidence of a breach was only noticed by IT staff after a long-expired certificate on security equipment, which was supposed to be monitoring outbound encrypted traffic, was updated. The lack of a certificate meant that the device had effectively not been working for 10 months.
"On March 10, 2017, unidentified individuals scanned the company's systems to determine if the systems were susceptible to a specific vulnerability that the United States Computer Emergency Readiness Team (US-CERT) had publicly identified just two days earlier. The vulnerability involved the Apache Struts Web Framework and would allow an attacker to execute commands on affected systems," the report explains.
"Equifax officials stated that, as a result of this scanning, the unidentified individuals discovered a server housing Equifax's online dispute portal that was running a version of the software that contained the vulnerability.
"Using software they obtained from an unknown source and that was designed to exploit the vulnerability, the unidentified individuals subsequently gained unauthorised access to the Equifax portal and confirmed that they could run commands. No data was taken at this time…
"Beginning on 13 May 2017, in a separate incident following the initial unauthorised access, attackers gained access to the online dispute portal and used a number of techniques to disguise their activity."
The attackers used encryption, which should have monitored, in order to disguise their activity and surreptitiously exfiltrate the records.
"Equifax officials added that, after gaining the ability to issue system-level commands on the online dispute portal that was originally compromised, the attackers issued queries to other databases to search for sensitive data.
"This search led to a data repository containing PII [personally identifiable information], as well as unencrypted usernames and passwords that could provide the attackers access to several other Equifax databases."
As a result of Equifax storing usernames and passwords unencrypted on the network, the attackers were easily able to extend their attack beyond the three databases supporting the dispute resolution portal to 48 other unrelated databases.
"After reviewing system log files that recorded the attackers' actions, Equifax officials determined that the attackers then ran a series of queries in an effort to try to extract PII from the databases they had located. Altogether, the attackers ran approximately 9,000 queries, a portion of which successfully returned data containing PII…
"After successfully extracting PII from Equifax databases, the attackers removed the data in small increments, using standard encrypted web protocols to disguise the exchanges as normal network traffic. The attack lasted for about 76 days before it was discovered."
The attack was only uncovered by a network administrator "conducting routine checks of the operating status and configuration of IT systems [who] discovered that a misconfigured piece of equipment allowed attackers to communicate with compromised servers and steal data without detection".
Specifically, as a result of that misconfiguration - a security certificate that had expired ten months earlier - encrypted traffic was not being inspected as it should have been, and the malicious traffic was therefore not detected.
"After the misconfiguration was corrected by updating the expired digital certificate and the inspection of network traffic had restarted, the administrator recognised signs of an intrusion, such as system commands being executed in ways that were not part of normal operations."
It was only then that the company belatedly started to address the attack, but didn't know how much data had been taken, nor how the breach had occurred. However, log files hadn't been altered by the attackers and IT forensics experts were able to piece together the attack, step-by-step. On 2 August 2017, Equifax finally got round to notifying the FBI of the breach.
According to the report, the Apache Struts vulnerability was not properly identified as running on the online dispute portal when patches for the vulnerability were installed throughout the rest of the company. Furthermore, databases were not properly segmented, enabling the attackers to access multiple databases during the attack.
And data governance was also woeful - especially the storage of unencrypted credentials for internal databases.
"Equifax officials noted one other factor that also facilitated the breach. Specifically, the lack of restrictions on the frequency of database queries allowed the attackers to execute approximately 9,000 such queries - many more than would be needed for normal operations." µ
Larry Ellison pays tribute to an 'irreplaceable friend'
The way we found out may surprise you
Air to the throne
Wonder who will get 999.999.999.999