Incident Overview

In 2017, Equifax, one of the largest credit reporting agencies in the United States, suffered a catastrophic data breach that exposed the personal information of approximately 147 million people. This breach included personal identity information such as Social Security numbers, birth dates, addresses, driver’s license numbers, and credit card information.

Timeline of Events:

• March 7, 2017: A critical vulnerability in the Apache Struts web application software was disclosed, and a patch was issued.
• May 13, 2017: Attackers began exploiting the unpatched vulnerability in Equifax's systems.
• July 29, 2017: Equifax discovered the breach.
• September 7, 2017: Equifax publicly announced the breach.

Key Actors:

• Attackers: Unidentified cybercriminals who exploited the vulnerability.
• Equifax: The credit reporting agency that experienced the breach.
• Affected Individuals: Approximately 147 million people whose personal information was compromised.

Attack Methodology

The attackers exploited a known vulnerability in Apache Struts (CVE-2017-5638), a widely used open-source framework for creating Java EE web applications.

1. Initial Infiltration: The Apache Struts vulnerability allowed attackers to remotely inject commands into the web server by incorrectly parsing an invalid HTTP header.
2. Lateral Movement: Once inside the network, the attackers moved laterally. This means they navigated from one system to another within Equifax’s internal network. Although the exact tools used by them are not known, they could have
   1. used a credential dumping tool to extract credentials from memory, registries, and other storage locations.
   2. With the credentials they could access other computers within the network through Remote Desktop Protocol. By accessing systems via RDP, they can control other machines as if they were physically present at the console.
   3. Once inside the network, perform reconnaissance to map out the network and identify high-value targets using nmap and terminal commands.
3. Data Exfiltration: The attackers extracted vast amounts of personal data over several months. They encrypted the data before transferring it to avoid detection by data loss prevention systems.

Vulnerabilities Exploited

1. Unpatched Software: Equifax failed to apply the critical security patch for the Apache Struts vulnerability.
2. Inadequate Monitoring: The prolonged duration of the breach indicates weaknesses in Equifax’s ability to detect unauthorised activity within its network.