Equifax Confirms Apache Struts Flaw Used in Hack

U.S. credit reporting agency Equifax confirmed on Wednesday that an Apache Struts vulnerability exploited in the wild since March was used to breach its systems.

Equifax informed customers last week that hackers had access to its systems between mid-May and late July. The breach, which affects roughly 143 million U.S. consumers, involved names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers.

The credit card numbers of roughly 209,000 consumers in the United States and dispute documents belonging to 182,000 people may have also been stolen by the attackers. Individuals in the U.K. and Canada are also affected and a class action was already initiated by Canadian consumers. 

Equifax initially only revealed that the cybercriminals exploited a vulnerability in a “U.S. website application” to access files. However, financial services firm Baird later claimed to have learned that the application in question was Apache Struts, a framework used by many top organizations to create web apps.

While some believed that the Apache Struts vulnerability was the recently patched CVE-2017-9805, which has been increasingly exploited in the wild to deliver malware, a more likely candidate was CVE-2017-5638, a vulnerability disclosed and fixed in March, and leveraged by cybercriminals shortly after.

An update posted by Equifax on Wednesday to the website dedicated by the company to the cybersecurity incident confirms that CVE-2017-5638 was the Apache Struts 2 flaw exploited by attackers.

“We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement,” the company said.

This shows that the breach was possible due to the company’s failure to patch a critical vulnerability in more than two months after its disclosure. Following the incident, others started highlighting holes in Equifax’s cyber security, including unpatched cross-site scripting (XSS) vulnerabilities reported to the company more than one year ago, and the lack of many basic protections.

Security blogger Brian Krebs reported on Tuesday that an Equifax Argentina employee portal exposed 14,000 records, including employee credentials and consumer complaints.

After New York Attorney General Eric T. Schneiderman announced the launch of a formal investigation into the Equifax breach, Illinois and nearly 40 other states joined the probe.

Equifax shares have fallen more than 30% since the disclosure of the breach, wiping roughly $5.3 billion off the company’s market capitalization.

Related: Industry Reactions to Equifax Hack

Related: Massive Credit Bureau Hack Raises Troubling Questions