Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup
September 14, 2017 • RBS
This is the fifth blog in the running series on the Equifax data breach.
- Equif*@#$d: Equifax Breach Response Off To A Rough Start
- Equifax Breach: Legal, Vulnerability Blame Game, and the Big Technical Debacle
- Equifax Breach: EULAs, Size Doesn’t Matter, and Where’s The Data?
- Equifax Breach: The Bigger Picture, Identity, Impact, and Advice
- Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup
- Equifax Breach: Timeline, International, Patching, Gender, PCI, oh my!
- Equifax Breach: Cyber Insurance To The Rescue?!
- Equifax Breach: Updated Timeline, Phishing, Regulation, and a Roundup
As you might expect, many in the technology field have already received marketing mails from security companies claiming that their technology or solution would have stopped the Equifax breach if they had been involved. Even before we actually knew 100% how Equifax was breached (it had not yet been confirmed it was in fact an unpatched Apache Struts vulnerability), the emails stated that their technology could have stopped it.
The most curious of these types of emails are when other service providers that are not associated with Equifax feel the need to email their customers. In one case, LastPass emailed to say they aren’t affected but shared the Equifax press release. It has prompted some to ask, “why tf is LastPass emailing me to tell me my LastPass account isn’t affected by the Equifax breach?” One journalist describes the ambulance chasing emails to number in the hundreds. And to be clear, while this is the most recent spam wave, this isn’t the first time we have seen a major breach being used as a marketing campaign. We all remember the numerous emails going around claiming their security products would have stopped the Snowden leaks even!
How Equifax Was Breached
After speculation and unfounded claims, Equifax has officially confirmed that an Apache Struts flaw was in fact used to compromise them in this breach. As suspected, it was not one of the Struts vulnerabilities disclosed this month, rather, ‘Struts-Shock’ (CVE-2017-5638) disclosed in March 2017. While some will be eager to say “told you so” there is still a lot more to consider.
First, we should not yet believe that only one individual or group exploited the vulnerability and grabbed the data. With an Internet facing server vulnerable to a high-profile vulnerability with public exploit code, we have to assume that there is the potential that more than one party exploited it. Equifax says that they discovered the breach on July 29th, but we know that the Struts-Shock exploit code was published on March 9th. That means that Equifax did not patch the vulnerability for as many as 142 days. We don’t know if it was patched and the breach noticed afterwards, or if the breach was noticed and the vulnerability patched as a result.
Second, there has been more fallout on the topic of Equifax’s digital security hygiene and footprint. Per Twitter user ‘ThreatPinch’, at least 135 IP addresses belonging to Equifax are still affected by the HeartBleed vulnerability which was disclosed on April 7, 2014. If Equifax has that many public-facing servers that have not been patched to a three year old vulnerability, we have to assume that whoever is responsible for the latest breach is not the only one, and likely not part of that exclusive of a club. Brian Krebs reports that an Equifax employee portal for managing credit disputed in Argentina had to be shut down yesterday due to it using a login and password of ‘admin’. Last, in looking at our own Cyber Risk Analytics ratings for Equifax, they have been rated below a full star for well over a year. We take data from numerous sources to calculate a rating which can be used to better understand the cyber hygiene of an organization and the likelihood of a future data breach. Given everything that we know and can easily see about their history, it isn’t a shock that Equifax has had yet another data breach.
Regardless of the subsequent fallout, it is absolutely great that the public knows how Equifax was compromised. That is a missing bit of information in a large majority of breaches, yet one data point that could better help other companies know which vulnerabilities are being actively targeted, and help prioritize remediation efforts.
Curious Relationship Between FireEye/Mandiant and Equifax
Finally, ZDNet reports that Equifax has enlisted FireEye-owned Mandiant for its incident response to this breach. This is another curious move since Equifax’s CSO was quoted in 2012 saying the “zero-day and targeted attacks that evade some of the simpler defenses are where you are going to need a next-generation product [..] by far, FireEye detected and kept us secure from these issues.” In fact, this statement was part of a FireEye whitepaper that was advertised on their site and now have been quickly removed after news of the breach hit.
While we can only assume that Equifax is still using FireEye products, it does raise an eyebrow about the effectiveness of a product or the deployment when it boasts about stopping “zero-day and targeted attacks” but somehow misses a public remote code execution flaw in a highly deployed web framework.
If that wasn’t enough oddity for one blog update, Twitter user ‘x0rz’ pointed out that a Mandiant employee appears to have registered “equihax.com” two days before Equifax announced the breach publicly. The website currently has nothingon it, but the domain does in fact show it is registered to a “Brandan Schondorfer”, whose LinkedIn profile is now returning a 404. But we can see that Google shows that he is an incident response consultant at Mandiant (a FireEye Company).
As we continued poking around Google looking at the cached profile, we stumbled across something else interesting! While Brandan’s cached LinkedIn profile currently does not exist anymore, we were able to find his current profile since the LinkedIn URL has the same identifier “44933668” in it. It appears that Brandan has recently renamed his LinkedIn profile to drop his last name:
It’s difficult to say why a Mandiant employee would register that domain without anonymous registration, especially ahead of the public announcement, when Equifax is a customer of theirs. Some have stated that it was possibly to prevent phishing domains from being registered. Others have also jumped in and agreed that Brandan was just performing a rear-guard action, buying up all the domains that others may use to mock Equifax for the breach. But it was also mentioned that he was sloppy by registering under his own name and is probably being mocked at work by his peers as this move required Equifax to disclose who they were using for the incident response.
Regardless if this was a Mandiant-sanctioned domain registration, based on the name change in the LinkedIn profile and what appears the removing of other social media accounts, it seems that the mistake has been realized.
While this may seem off topic, a curiosity for any data breach is when did the affected organization actually know about the issue and when did they engage outside assistance. As expected, we can more readily acknowledge with some degree of certainty that FireEye was engaged before the announcement and assisted with the initial assessment.
Five days after any news-saturating breach, we typically get to a point where many of the prior topics covered in this blog begin to be examined in more detail. Like loose threads, various people will follow them and cover each in greater detail, examine additional points, and explore new ideas on the topics. It is easy to go down these rabbit holes because there is often promise of interesting and impactful observations that can help us better understand the situation. Rather than try to visit each of these rabbit holes, we’d like to share some of the updates and new developments in a more succinct manner:
- Zeynep Tufekci has written an opinion piece titled “Equifax’s Maddening Unaccountability” for the NYTimes that may echo sentiments from many impacted.
- Richard Blumenthal, a Senator from Connecticut, has written an open letter (PDF) to the CEO of Equifax strongly recommending they offer a better response to those affected, including longer credit monitoring, waive all fees, and more.
- In response to the Consumer Financial Protection Bureau (CFPB), the Consumer Data Industry Association (CDIA) on behalf of Equifax, pressed regulators to remove parts of the regulations that better protect victims of data breaches. Some are speculating that with the Consumer Financial Protection Bureau (CFPB) investigating Equifax after the breach, it may influence the deregulatory efforts. Ultimately, all of this may end up landing at the feet of the President and Congress.
- The Dark Web site claiming to sell the Equifax data has been shut down after researchers exposed information about it.
- According to Will Long, Experian is airing a commercial for an information privacy product during an NFL game… days after the Equifax breach announcement.
- Brian Schatz observes that if half of those impacted by the Equifax breach sign up for a credit freeze, then Equifax will make ~ $700 million dollars on the fees to do so.
- After public pressure, Equifax quickly removes fees for victims asking for a credit freeze.
- A chat bot, software designed to walk you through a task (e.g. technical support), originally designed to help with arguing parking tickets in court has been repurposed to help you sue Equifax for up to $25,000 without hiring a lawyer. Welcome to the future!
- After the breach, “Standard & Poor’s has placed Equifax’s credit rating on outlook ‘negative’” according to TheStreet.
- Prior to the disclosure of the data breach, Equifax’s market value stood at $17.2 billion. Its market cap has since declined by about $4.9 billion, to $12.3 billion.
- Equifax CEO Richard Smith will testify before a special House panel about the Equifax security breach on October 3.