The attackers who breached Equifax managed to do so by exploiting a vulnerability in its US website, the company has finally confirmed. The vulnerability – CVE-2017-5638 – affects Apache Struts 2.
A failure to implement available patch
CVE-2017-5638 was flagged in March 2017. It was discovered and reported by Chinese developer Nike Zheng.
It was quickly patched by the Apache Struts team, but the disclosure was followed by active attacks via two very reliable exploits that had already been published online.
The Equifax hack was traced back to mid-May, meaning that the site’s administrators obviously failed to implement the security update for over nine weeks. And then, the company failed to spot the intrusion until July.
Following initial reports that an Apache Struts flaw was how the attackers got in, Apache Struts VP René Gielen explained their efforts to keep on top of things by quickly patching discovered and reported vulnerabilities.
He also advised businesses and individuals utilizing Apache Struts to keep track of announcements affecting the product, and to establish a process to quickly roll out a security fix release of their software product once the framework has been updated.
Other recent changes
In this latest progress update, Equifax has reiterated that affected customers who take advantage of the free Trusted ID credit monitoring service membership offered by the company will not be forfeiting their right to join a class action suit against the company.
The company has also noted that due to the high volume of security freeze requests, they experienced temporary technical difficulties that forced their system offline for approximately an hour on Wednesday.
More than likely, this had something to do with the announcement that the company has waived credit-freeze fees ($10 per freeze) for those affected by the breach, but just until November 21.
In addition to all this, the company has changed the way it generates the PINs when a consumer initiates the Equifax security freeze. The PIN is now randomly generated, instead of being easily guessable combination of the date and time when the customer initiated the procedure.