As many of you are aware there are a large number of victims in the Equifax breach that was disclosed recently. Our analyst started taking a look at information in the Jigsaw Analytic Platform to see exactly what we know about the incident and we decided to share the findings.
It appears as though from OSINT reporting that the attack was carried out using an Apache Struts vulnerability identified earlier this year. Because Equifax failed to patch the flaw it allowed hackers to access records in which they should not have had access.
The affected organization appears to be a site known as the "Veraz Portal" according to some post the we discovered in our analytic platform. Keep in mind that none of this information has been verified as Equifax legal team is busy as are the public relations teams in their investigations of the incident. It appears as though the "Veraz Portal" has been disabled so that leads one to believe that this is in fact the portal that was at the root of the issue.
Additional information posted on DataBreaches indicating that information was posted by a Twitter user known as (@real_1x0123) but could not be confirmed. As usual www.databreaches.net is on top of the story. What is really interesting here is that one would think the Driver Privacy Protection Act (DPPA) would be in play here.
In addition to this being a huge problem there appears to have been 715 pages worth of complaints and disputes file by Argentinians who at one point had contacted Equifax by phone or email to report issues with their credit reports and nothing was done. Claims have also surfaced that the Apache Struts vulnerability allowed hackers to determine that usernames and passwords of employees were the same value. This allowed anyone that discovered this to instantly gain access to the system and to access these records (and apparently export the data) with no detection of an issue by Equifax indicating basic security access auditing was not taking place.
With 143 million American's including some Jigsaw employees being exposed we are certainly outraged that this information was not protected when all of the ISAC's and security vendors reported on the Apache Struts vulnerability for the last year. We are already seeing large numbers of post of credentials that match up with data from the Equifax breach. In addition tools that validate login information are being used to bounce through anonymous proxy's to find valid accounts on other services in which the users shared the same usernames and passwords from this breach indicating that this attack will extend well beyond Equifax borders.
Equifax is reporting as well as press released on the NYSE that Equifax (EFX) has taken a huge hit on their stock prices and previous reporting indicates that executives dumped stock prior to this notification being release publicly. What vendors should be doing is using the tools that hackers are using to scan their own system and identify accounts that have the same username and password combinations that were stolen from Equifax so they can notify and secure these third party accounts.
The biggest question to ask yourself is can Equifax be trusted? The basic failure of using the same usernames and passwords for accounts tells me that they can't be trusted. Freezing your credit is one way to protect yourself but that punishes the consumer and in some cases such as Equifax they charge you money to thaw your account if it's been frozen allowing them to make money off of the issue that was originally caused by their lack of security. Consumers should not have to pay for unfreezing a basic protection in which may not have been needed if not for the lack of basic security controls by Equifax.
We can tell you that hackers are using anonymous proxies to validate the information stolen in the attack to access other sites and services. At a minimum we recommend password changes on any account that may be using the same credentials. Subscribers to the Jigsaw Security Enterprise portal will be provided with very specific things that we are seeing that may be useful in protecting your customers from third party attack as a result of this breach.