Equifax logo

In an update posted to its security breach website, Equifax said hackers used an Apache Struts security bug to breach its servers and later steal data on over 143 million customers, from both the US and the UK. We quote:

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

Equifax's confirmation comes after a report from equity research firm Baird circulated last week blaming the same flaw.

Time of breach will be the most important detail

At the time it was discovered, in March 2017, the Apache Struts CVE-2017-5638 vulnerability was a zero-day — a term used to describe security bugs exploited by attackers but which vendors are not aware of or have a patch released.

Equifax did not reveal the exact date when the security breach occurred, but only when it became aware of it — July 29, 2017. It is unclear if Equifax was breached before the Struts zero-day became public, or months after Apache made a patch available.

Having identified the vulnerability hackers exploited, it is quite obvious Equifax knows when the breach occurred as well, but is currently holding off from revealing this information.

The breach's actual date will be the key point that will determine responsibility in the tens of class-action lawsuits filed in the last week.

The Apache Struts team released a patch for CVE-2017-5638 on March 6, 2017.

Vulnerability previously exploited by ransomware gang

After its public disclosure, the CVE-2017-5638 flaw came under heavy exploitation by numerous criminal groups, including one that was breaching Struts servers to install the Cerber ransomware on locally networked computers. That group made at least $100,000 worth of Bitcoin from their endeavor.

Two days before Equifax announced its security breach, the Apache Struts team patched another critical vulnerability — CVE-2017-9805. In a statement, the Apache Foundation went on record saying that this second flaw could not have been responsible for the Equifax breach, despite some erroneous reports.

Nonetheless, this second Struts flaw is as dangerous as the first, and this is the reason why Cisco is auditing all its software products to see if they're affected.

Apache Struts is a widely used technology among Fortune 500 companies, making it the perfect attack surface for hackers who want to target large corporations.

Struts is an open-source MVC framework for Java, similarly to what Ruby on Rails is for Ruby and what Symfony and Laravel are for PHP. It helps developers build complex applications by reusing components for certain tasks.