Correction: An earlier version of this article said the vulnerability exploited by the hackers who broke into Equifax was the one disclosed on Se
Correction: An earlier version of this article said the vulnerability exploited by the hackers who broke into Equifax was the one disclosed on Sep. 4. It’s possible that the vulnerability that was targeted was one disclosed in March. We will update this post when we’ve confirmed which vulnerability it was.
The credit reporting agency Equifax announced on Sept. 7 that hackers stole records containing personal information on up to 143 million American consumers. The hackers behind the attack, the company said, “exploited a U.S. website application vulnerability to gain access to certain files.”
That vulnerability, according to a report on the data breach by William Baird & Co., was in a popular open-source software package called Apache Struts, which is a programming framework for building web applications in Java. Two vulnerabilities in Struts have been discovered so far in 2017. One was announced in March, and another was announced earlier this week on Sept. 4. At the moment, it’s unclear which vulnerability the Baird report was referring to.
As we reported earlier this week, the vulnerability announced on Sept. 4 has existed in Struts since 2008. In their report on lgtm.com, the security researchers who discovered the bug warned that the affected application is widely used across industries and can easily be hacked with nothing but a browser, an internet connection, and some information about how the bug works.
“At least 65% of the Fortune 100 companies are actively using web applications built with the Struts framework,” the report said. “Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework. This illustrates how widespread the risk is.”
The bug specifically affects a popular plugin called REST, which developers use to handle web requests, like data sent to a server from a form a user has filled out. The vulnerability relates to how Struts parses that kind of data and converts it into information that can be interpreted by the Java programming language. When the vulnerability is successfully exploited, malicious code can be hidden inside of such data, and executed when Struts attempts to convert it.
That means intruders could easily inject malware into web servers, possibly without being detected, and use it to steal or delete sensitive data, or infect computers with ransomware, among other things.
“Organizations who use Struts should upgrade their components immediately,” said Man Yue Mo, a researcher at lgtm.com.
The researchers said in their report that they had developed a “simple working exploit for this vulnerability,” which they have not yet published so that affected users can have a chance to update their software to the latest version, which has fixed the bug. The researchers also said they had found no evidence of an exploit being circulated online, on black market websites, or elsewhere.
“At the time of the announcement there is no suggestion that an exploit is publicly available, but it is likely that there will be one soon,” the researchers said in their report.
Equifax said in its Sept. 7 statement that most of the consumer information accessed includes “names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers” as well as “credit card numbers for approximately 209,000 consumers.” The company added that 182,000 credit-dispute documents, which contain personal information, were also stolen.