SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Equifax and its 143m customers just the ‘first known victims’
Tue, 19th Sep 2017
FYI, this story is more than a year old

​The colossal breach in Equifax's soft underbelly has made headlines around the world of late, largely because of the monumental amount of personal data involved – up to 143 million customers.

It has now been revealed the most likely route cybercriminals used to gain access to the honeypot, exploiting an Apache Struts CVE-2017-5638 vulnerability.

The stolen data may include Social Security numbers, birth dates, driver's licenses, addresses and 209,000 credit card numbers – all of which may now be putting these people at identity theft risk for the rest of their lives.

What's even more concerning though, is that Flexera asserts that not only was the vulnerability well-known, but a patch was available long before the attack.

Flexera says Apache Struts is a popular and widely-used open source component used by companies in commercial and in-house systems to take in and serve up data, making it a prime target for cybercriminals.

The suspected vulnerability was disclosed on March 7 and the patch was available at the same time – but this is not a novelty, as Flexera asserts the availability of patches at the time of disclosure of vulnerabilities is actually very common.

A study from Flexera found that in 2016, patches were available at the time of disclosure for a staggering 81 percent of vulnerabilities.

The real problem comes down to the simple fact that it takes users substantially longer to patch vulnerabilities than it does for hackers to start exploiting them – WannaCry anyone? Organisations continue to leave their windows wide open for hackers to climb in.

In the Equifax case, the company has identified the breach and is taking care of it. However, vice president of product management at Flexera, Jeff Luszcz says they are probably just the first known victims.

“Once a case like this hits the news, it ignites the fire in the cybercrime community and hackers start poking around for new opportunities,” says Luszcz.

“We should expect a long tail of incidents and breaches in the months – and potentially years – to come. As we still see attacks targeting Heartbleed, a vulnerability more than three years old.

If nothing else, this massive breach serves as a vital reminder for business leaders to radically rethink their vision of cybersecurity as the incidents we see increasingly reveal the neglection of basic security best practices – making the job easy for hackers and hard for security professionals.

Senior director of Secunia Research at Flexera, Kasper Lindgaard says patching this type of vulnerability is certainly not as simple as patching a desktop application, but it's certainly something business leaders need to address sooner rather than later.

“When it comes to vulnerabilities affecting the software supply chain, it's important to align software design and engineering, operational and security requirements. This isn't an easy task,” says Lindgaard.

“However, the time frames of initial disclosure of the vulnerability and its patch on March 7 – up to two months before the first reported unauthorized access at Equifax, and the further delay of the actual detection of the breach on July 29 – currently indicates that the vulnerability was not handled with the priority that it should have.