Equifax's May Mega-Breach Might Trace to March HackIntrusion Eyed as Beachhead for Theft of 143 Million US Consumers' Data
Hackers responsible for the mega-breach at Equifax may not have penetrated its systems in May, as the credit bureau previously stated, but rather in March, after which they roamed through the companies' systems, undetected for four months.
"Our investigation determined that an actor interacted with our server on March 10, 2017, as part of a common pattern of probing of systems on the internet to find vulnerabilities, which Equifax like other companies face repeatedly every day," an Equifax spokeswoman tells Information Security Media Group.
"In this case, the actor issued a 'whoami' command," she says, referring to a Unix command that in this case would have revealed the username attached to a compromised account.
Equifax had previously disclosed that it discovered the breach on July 29, and that the intrusion was blocked - and the vulnerability in its Apache Struts web application framework patched - the next day. Shortly thereafter, it hired FireEye's Mandiant incident response group to investigate (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).
Equifax last week said that it "believes the unauthorized accesses to certain files containing personal information" ran from May 13 to July 30.
The hack of Equifax resulted in one of the biggest breaches ever seen of personal data on U.S. consumers. The FBI is investigating the breach, while the Federal Trade Commission is investigating Equifax itself, and the Securities and Exchange Commission has launched an insider trading probe after three executives sold stock collectively worth about $2 million follow the breach, but before Equifax revealed it publicly.
On Sept. 7, Equifax issued it first public notification about the breach. According to the most recently released details, 143 million U.S. consumers' names, Social Security numbers, birthdates, addresses - and in some instances driver's license numbers - were exposed, as well as 209,000 of their credit card numbers and additional personal information relating to 182,000 consumers. Numerous British and Canadian consumers were also affected.
The credit reporting agency says that the hacker activity spotted on March 10 may not relate to the May data theft that resulted in its mega-breach. "There is no evidence that this probing or any other probing was related to the access to sensitive personal information that began on May 13," the spokeswoman says. "This is completely consistent with what Equifax has previously released on the cybersecurity incident reported on Sept. 7, 2017, specifically that no personal information was accessed prior to May 13, 2017."
Building a Beachhead?
But the discrepancy between the initial intrusion in March and the data theft recorded in May could represent the time required to quietly reconnoiter Equifax's systems.
"Typically, you first build out a beachhead so that it's difficult to get kicked out," Johannes Ullrich, dean of research with the SANS Technology Institute, tells the Wall Street Journal.
It's also possible that whoever first hacked Equifax then sold that access to one or more other criminal groups. Hackers created about 30 web shells - a script that provides persistent silent, remote access to a machine - then "remotely accessed" Equifax systems from approximately 35 "distinct public IP addresses," according to a report from Mandiant that Equifax distributed to some customers last week, and which was seen by the Wall Street Journal.
A spokeswoman for FireEye said the company couldn't comment on the report.
The report says the identity of the hackers remains unknown, because Mandiant had not been able to attribute the breach to any "threat group actor" it currently tracks. Nor did the "tools, tactics and procedures" used overlap with those seen in previous investigations by the firm, the findings reportedly say.
The timing of Equifax's March 10 intrusion places it just two days after Cisco published research warning of a major flaw in the enterprise platform. That followed Apache on March 6 issued an emergency security update that users could install to patch the flaw, which was already being exploited via active attacks (see Apache Struts 2 Under Zero-Day Attack, Update Now).
Equifax last week said in a statement that its security team "took efforts to identify and to patch" all of the company's Apache Struts implementations.
The confidential report Equifax distributed to some customers, including financial firms, included a cover letter, dated Tuesday, Sept. 19, that was signed by the company's new CIO, Mark Rohrwasser, and new CSO, Russ Ayres, the Wall Street Journal reports. Both of those executives assumed their positions Friday, when Equifax announced the retirement of the previous executives (see More Questions Raised After Equifax CIO, CSO 'Retire').
In a report released earlier this year, FireEye said it found that, on average, a breached organization takes 100 days to discover that it's been breached. In Equifax's case, however, the company took 141 days.
Equifax also says its mega-breach is separate from a smaller breach that affected its TALX payroll services subsidiary. In March, Equifax began notifying some TALX users that attackers had been able to spoof its web-based portal and gain a copy of their W-2 form - used for filing U.S. income tax returns, and often sought by fraudsters to file fake returns. Equifax says unauthorized access incidents occurred between April 17, 2016, and March 29, 2017 (see Equifax Disputes Report of Undisclosed Breach From March).
Equifax continues to face increased pressure as a result of the mega-breach, including numerous class-action lawsuits in the United States and Canada, Congressional probes, investigations by 40 or more states' attorneys general, plus the FTC and SEC investigations (see Top Democrat Likens Equifax to Enron as FTC Launches Probe).
Equifax's share price has lost about one-third of its value since its Sept. 7 breach announcement.
On Tuesday, Massachusetts Attorney General Maura Healey filed a lawsuit against Equifax.
"We allege that Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly 3 million Massachusetts residents safe from hackers," Healey says. "We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again."
Sen. Elizabeth Warren, D-Massachusetts, says that the "Equifax hack is a nightmare." She and some of her Democratic peers in the Senate have introduced a bill requiring all credit agencies to provide free credit freezes to any U.S. consumer, on demand, to help prevent fraudsters from using their exposed details.
Warren, who helped establish the Consumer Financial Protection Bureau in 2011 - in the wake of the 2007 financial crisis - says Equifax executives, including CEO Richard Smith, will likely face no fallout despite having been at the helm during one of the worst data breaches in history
"So long as there is no personal responsibility when these big companies breach consumers' trust, let their data get stolen, cheat their consumers, like they did in the case of Wells Fargo, then nothing is going to change," Warren told CNBC on Tuesday (see Despite Breaches, Yahoo CEO Gets Golden Parachute).
Meanwhile, New York's governor, Andrew M. Cuomo, has proposed legislation that would require that all credit agencies - Equifax, Experian, TransUnion - comply with the New York Department of Financial Services cybersecurity regulation. Under his proposal, violators could be blocked from being allowed to do business with, or gather and store any data on, New York state residents.
British Breach Victims
Beyond U.S. consumers, Equifax says its mega-breach also exposed personal information on about 400,000 British consumers that it was inadvertently storing on U.S. servers. The company says that it's begun notifying victims.
"It is always a company's responsibility to identify U.K. victims and take steps to reduce any harm to consumers," the Information Commissioner's Office said in a statement last week. Britain's privacy watchdog says that it has been "pressing the firm to establish the scale of any impact on U.K. citizens and have also been engaging with relevant U.S. and U.K. agencies about the nature of the data breach. It can take some time to understand the true impact of incidents like this, and we continue to investigate. Members of the public should remain vigilant of any unsolicited emails, texts or calls, even if it appears to be from a company they are familiar with. We also advise that people review their financial statements regularly for any unfamiliar activity."
Canadian Breach Victims
Equifax says about 100,000 Canadians' names, addresses, social insurance numbers and, in some cases, credit card numbers were also exposed in the breach, and it has promised to notify victims directly. The credit bureau says it's working with Canada's privacy watchdog - the Office of the Privacy Commissioner of Canada - and that it will offer 12 months of identity theft monitoring to victims.
"We apologize to Canadian consumers who have been impacted by this incident," said Lisa Nelson, president and general manager of Equifax Canada, in a statement. "We understand it has also been frustrating that Equifax Canada has been unable to provide clarity on who was impacted until the investigation is complete. Our focus now is on providing impacted consumers with the support they need."
Canada's privacy commissioner on Friday announced the launch of an investigation into the Equifax breach, based on complaints from consumers.
Fake Breach-Notification Site
When announcing the mega-breach on Sept. 7, Equifax directed potential breach victims to a dedicated website - www.equifaxsecurity2017.com - for more information.
In an embarrassing gaff, however, it appears that since Sept. 9, Equifax's customer support team has been accidentally directing some breach victims to a fake site - securityequifax2017.com - registered by developer Nick Sweeting, who mimicked the look and feel of the original.
Sweeting's site is now being blocked by multiple browsers and security tools - including the Google Chrome domain blacklist - and being flagged as a phishing site.
Sweeting said he created his site to highlight how dangerous the Equifax site is, especially because it's not actually hosted on the equifax.com domain. That means it could have been registered by anyone. In fact, when Equifax first launched its official breach-notification site, many security tools blocked it on the grounds that it looked like a phishing site.
"It's in everyone's interest to get Equifax to change this site to a reputable domain," Sweeting tells Gizmodo. "I knew it would only cost me $10 to set up a site that would get people to notice, so I just did it."
If Equifax's customer support team cannot tell the real Equifax breach-notification site from the fake one, what chance do consumers have?
Sweeting says that if he can register and build a real-looking - but thankfully faux - phishing site in 20 minutes, so can anyone else. "I can guarantee there are real malicious phishing versions already out there," he tells Gizmodo.
Managing Editor Jeremy Kirk also contributed to this story.