U.S. officials looking at Apache vulnerability as cause for Equifax breach

This story has been updated with a statement from Equifax

It’s likely that whomever was responsible for the giant data breach at credit reporting firm Equifax targeted an old version of the Apache Struts framework, according to a senior government official who spoke on condition of anonymity to discuss an ongoing investigation.

The attackers, the official said, appear to have relied on a known vulnerability in the open-source web application that was disclosed in March 2017. The vulnerability is different from the one that was widely reported on last week.

The official’s comments to CyberScoop are the first from a government source regarding the cause behind one of the largest data breaches in U.S. history, which was publicly announced last week.

The official cautioned that while the Struts vulnerability is currently considered the mostly likely avenue, an investigation is ongoing and still developing.

The FBI is currently working with Equifax in order to fully investigate the cause of the breach and who may be responsible for compromising records affecting up to 143 million U.S. residents.

“I really do believe this is an inflection point,” the senior U.S. official said. “This is just as big as Sony, as Target, as OPM.”

Lawmakers in both the House and Senate have called for transparency from Equifax as they seek answers about how this breach occurred, when authorities were first notified and whether customers had been properly notified about the incident.

U.S. cybersecurity firm Mandiant was brought in by Equifax to respond to the breach, ZDNet first reported.

The Struts remote code execution vulnerability mentioned by the official was catalogued as CVE-2017-5683 in March.

Equifax’s main competitors, TransUnion and Experian, also reportedly rely on the popular Apache Struts framework. Some security experts believe Equifax’s competition were susceptible to the same vulnerability in recent months. Outdated software, which has not been updated or patched in months, is wildly susceptible to being hacked.

Experian did not respond to a request for comment.

A TransUnion official did not answer a specific question sent by CyberScoop about security measures taken in the aftermath of the Equifax breach, but instead provided the following statement: “We are aware of the Equifax announcement and have activated our standard protocol to investigate the nature of this attack. Our information security and technology teams are actively evaluating this incident to determine what, if any, actions from TransUnion might be appropriate.”

News that the Equifax breach had been caused by an Apache Struts vulnerability first appeared in press reports Friday after an analysis by equity research firm Baird noted the reason. A New York Post article concerning the breach quoted a Baird analyst saying that a source inside Equifax had told him about the Struts vulnerability.

Update: Equifax has confirmed CyberScoop’s reporting. In a public statement released late Wednesday night, an Equifax spokesperson said that CVE-2017-5683 allowed for hackers to break into the company and compromise records. 

https://twitter.com/zackwhittaker/status/908135177800601600