The flaw allowed the attacker to make a maliciously crafted request to an Apache web server and gain access the underlying machine.
The credit reporting agency confirmed that a total of 145.5 million individuals have been exposed, hackers accessed names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers and credit card numbers.
Now U.S. Government Accountability Office (GAO) published a report on the Equifax hack that includes further details on the incident. The report was commissioned by several U.S. senators and representatives, it is based on documents provided by Equifax itself and the cybersecurity consultants involved in the incident response and in the investigation. The reports also refers documents from the Internal Revenue Service (IRS), Social Security Administration (SSA), and U.S. Postal Service (USPS).
The report confirms that hackers targeted Equifax exploiting the Struts vulnerability, they made a reconnaissance a few days after the Struts flaw was publicly disclosed.
The attackers breached an online dispute portal than queried internal databases in an effort to find personally identifiable information (PII).
“In July 2017, Equifax system administrators discovered that attackers had gained
unauthorized access via the Internet to the online dispute portal that maintained
documents used to resolve consumer disputes (see fig.). The Equifax breach
resulted in the attackers accessing personal information of at least 145.5 million
individuals.” states the report.
Equifax took 76 days to detect the massive 2017 data breach.
The experts highlighted that Equifax hack was the result of the failure of four major activities under the control of the security team, the identification, the detection, the segmenting of access to databases, and data governance.
The analysis of the log files revealed that attackers executed approximately 9,000 queries to access data containing PII.
9,000 queries run by the attackers is much more than the number of queries normally executes, highlighting the lack of control operated by the security team.
Equifax officials stated that the attackers were able to disguise their activity by blending in with regular network operations, the incident was detected by the security team during routine checks.
“As reported by Equifax, a network administrator conducting routine checks of the operating status and configuration of IT systems discovered that a misconfigured piece of equipment allowed attackers to communicate with compromised servers and steal data without detection.” continues the GAO Report.
“Specifically, while Equifax had installed a device to inspect network traffic or evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected,”
The root cause of the problem was a digital certificate that had expired 10 months before the Equifax hack occurred, this circumstance allowed the attackers to exfiltrate data without being detected because the system was not able to inspect the traffic.
“Equifax stated that the misconfiguration was the result of an expired digital certificate that had not been replaced with a new certificate. Digital certificates are encrypted electronic tokens that are used to authenticate servers and systems. Because this one was expired, the system was unable to inspect encrypted traffic. The network
administrator replaced the expired certificate, allowing the system to resume inspection of traffic.” continues the report.
The lack of network segmentation allowed the attackers to access many internal databases along with the one behind the online dispute portal, experts also pointed out the credentials for accessing multiple archives were stored in plain text in one database accessed by the hackers.
However, many experts criticized the US authorities because even after the publication of the GAO report no real actions were taken against Equifax.
“One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information – and the Trump Administration and Republican-controlled Congress have done nothing.” stated Senator Elizabeth Warren, one of the officials who requested the GAO report.