Company tried to find and patch vulnerable systems, but we know what happened next
Equifax’s chief information officer and chief security officer âare retiringâ and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software.
The retirements and more details about the company’s mega-breach are revealed in a new entry to equifaxsecurity2017.com/ in which the company describes what it knew, when it knew it, and how it responded.
The update reveals that the the attack hit the company’s âU.S. online dispute portal web applicationâ and that the source of its woes was CVE-2017-5638, which âwhich allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header.â Equifax acknowledges that bug was disclosed in early March 2017.
The next point on the company’s list says âEquifaxâs Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the companyâs IT infrastructure.â
But elsewhere in the statement, Equifax just-about-confesses that those efforts either missed the Struts implementation or failed to patch it properly. The key passages explain that the company âobserved suspicious network trafficâ on July 29th, âcontinued to monitor network traffic and observed additional suspicious activityâ on the 30th and âtook offline the affected web application that day.â
It was only then on the 30th that âEquifax patched the affected web application before bringing it back online.â
The statement leaves many questions unanswered. The phrase âaware of this vulnerability at that timeâ could mean anything, perhaps even something as trivial as a single email reaching an inbox in Equifax’s security team. The words âtook efforts to identify and patch vulnerable systemsâ don’t definitively say whether Struts was identified as vulnerable or whether an attempt was made to patch it. Indeed, the company’s statement goes on to say âWhile Equifax fully understands the intense focus on patching efforts, the companyâs review of the facts is still ongoing. The company will release additional information when available.â
That review is being conducted with security outfit Mandiant, which the new statement says was engaged on August 2nd. The new update also reveals that news of the breach was kept from the public until âAs soon as the company understood the potentially impacted populationâ.
The company says its investigations are ongoing and that it continues to assist the FBI with its probe into the matter.
Which means lots of fun for new interim CIO Mark Rohrwasser and interim chief security officer Russ Ayres. Good luck, gents, it looks like you’ll need it! Â®