Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software.
The retirements and more details about the company's mega-breach are revealed in a new entry to equifaxsecurity2017.com in which the company describes what it knew, when it knew it, and how it responded.
The update reveals that the the attack hit the company's “U.S. online dispute portal web application” and that the source of its woes was CVE-2017-5638, “which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header.” Equifax acknowledges that bug was disclosed in early March 2017.
The next point on the company's list says “Equifax’s Security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”
But elsewhere in the statement, Equifax just-about-confesses that those efforts either missed the Struts implementation or failed to patch it properly. The key passages explain that the company “observed suspicious network traffic” on July 29th, “continued to monitor network traffic and observed additional suspicious activity” on the 30th and “took offline the affected web application that day.”
It was only then on the 30th that “Equifax patched the affected web application before bringing it back online.”
The statement leaves many questions unanswered. The phrase “aware of this vulnerability at that time” could mean anything, perhaps even something as trivial as a single email reaching an inbox in Equifax's security team. The words “took efforts to identify and patch vulnerable systems” don't definitively say whether Struts was identified as vulnerable or whether an attempt was made to patch it. Indeed, the company's statement goes on to say “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing. The company will release additional information when available.”
That review is being conducted with security outfit Mandiant, which the new statement says was engaged on August 2nd. The new update also reveals that news of the breach was kept from the public until “As soon as the company understood the potentially impacted population”.
The company says its investigations are ongoing and that it continues to assist the FBI with its probe into the matter.
Which means lots of fun for new interim CIO Mark Rohrwasser and interim chief security officer Russ Ayres. Good luck, gents, it looks like you'll need it! ®