The Equifax breach was one of the largest and impactful breaches of recent years, and I just wanted to take a quick look at it since I discovered that lawmakers had released a PDF report detailing exactly how they were hacked.
Among other things that this report highlights, it looks at how Equifax turned down help from the DHS, and instead went to a private third-party cyber-security company. This isn’t abnormal, but having more than one party check your security, especially when it’s the DHS, can’t hurt one bit.
Above you’ll see a chart that describes how Equifax was breached. Now, the main vulnerability that was used was known, and US-CERT had warned the public about it. For some small businesses, emergency patches like this may not come up for a little while due to negligence or just not knowing the warning had been posted. But when you’re a company as big as Equifax, handling the sensitive data that they have, there is no excuse for a vulnerability to be open in a company that long after they were warned. Something as critical as that should have been patched straight away.
Get this though, the Apache Struts vulnerability that was used was months-old. They knew about it, but just failed to fix it. Using the vulnerability, the attackers gained access to login credentials for three of their servers, and from there, using the same credentials (c’mon guys), they accessed another 48 servers. These servers contained the personal information that was affected.
From there, the attackers stole bits of data from 51 databases ever so slowly, as to not set off any red flags. This process took around 76 days. The breach wasn’t known about until July 29th, and the attackers had their access terminated on July 30th.
In more recent news, Equifax has spent over $200 million on cyber security, and has a newer CISO. The company is attempting to make sure a breach like the one they suffered never happens again. It’s never too late to dump money into cyber security for your company, but why wasn’t this done beforehand? Why weren’t the proper steps taken to ensure their critical infrastructure was secured?
The Justice Department has charged four members of the Chinese Military with the hack though, and it’s amazing that they were even able to come up with names. I, myself, am extremely interested in how they were able to track the culprits down. These attackers had access to the Social Security numbers, birth dates, and more, of about 145 million people. Of course, the Chinese Foreign Ministry is completely denying the charges.
Apparently officials have stated that these hackers covered their tracks by routing traffic through 34 servers in 20 countries to hide their location, and used encrypted channels to communicate, while wiping logs that they left behind. What I’m really looking forward to, is the in-depth forensic report of how they tracked these guys down. I’ve gone through the indictment fully, and it gives away some info, but not much. Especially when it comes to how the U.S. got the server logs/records off of a Taiwanese servers that they hackers almost definitely were cleaning constantly (maybe they weren’t?).