Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup

This is the fifth blog in the running series on the Equifax data breach.

  1. Equif*@#$d: Equifax Breach Response Off To A Rough Start
  2. Equifax Breach: Legal, Vulnerability Blame Game, and the Big Technical Debacle
  3. Equifax Breach: EULAs, Size Doesn’t Matter, and Where’s The Data?
  4. Equifax Breach: The Bigger Picture, Identity, Impact, and Advice
  5. Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup
  6. Equifax Breach: Timeline, International, Patching, Gender, PCI, oh my!
  7. Equifax Breach: Cyber Insurance To The Rescue?!
  8. Equifax Breach: Updated Timeline, Phishing, Regulation, and a Roundup
  • Equifax Breach: A Wrap-Up?

  • As you might expect, many in the technology field have already received marketing mails from security companies claiming that their technology or solution would have stopped the Equifax breach if they had been involved. Even before we actually knew 100% how Equifax was breached (it had not yet been confirmed it was in fact an unpatched Apache Struts vulnerability), the emails stated that their technology could have stopped it.

    The most curious of these types of emails are when other service providers that are not associated with Equifax feel the need to email their customers. In one case, LastPass emailed to say they aren’t affected but shared the Equifax press release. It has prompted some to ask, “why tf is LastPass emailing me to tell me my LastPass account isn’t affected by the Equifax breach?” One journalist describes the ambulance chasing emails to number in the hundreds. And to be clear, while this is the most recent spam wave, this isn’t the first time we have seen a major breach being used as a marketing campaign. We all remember the numerous emails going around claiming their security products would have stopped the Snowden leaks even!

    How Equifax Was Breached

    After speculation and unfounded claims, Equifax has officially confirmed that an Apache Struts flaw was in fact used to compromise them in this breach. As suspected, it was not one of the Struts vulnerabilities disclosed this month, rather, ‘Struts-Shock’ (CVE-2017-5638) disclosed in March 2017. While some will be eager to say “told you so” there is still a lot more to consider.

    First, we should not yet believe that only one individual or group exploited the vulnerability and grabbed the data. With an Internet facing server vulnerable to a high-profile vulnerability with public exploit code, we have to assume that there is the potential that more than one party exploited it. Equifax says that they discovered the breach on July 29th, but we know that the Struts-Shock exploit code was published on March 9th. That means that Equifax did not patch the vulnerability for as many as 142 days. We don’t know if it was patched and the breach noticed afterwards, or if the breach was noticed and the vulnerability patched as a result.

    Second, there has been more fallout on the topic of Equifax’s digital security hygiene and footprint. Per Twitter user ‘ThreatPinch’, at least 135 IP addresses belonging to Equifax are still affected by the HeartBleed vulnerability which was disclosed on April 7, 2014. If Equifax has that many public-facing servers that have not been patched to a three year old vulnerability, we have to assume that whoever is responsible for the latest breach is not the only one, and likely not part of that exclusive of a club. Brian Krebs reports that an Equifax employee portal for managing credit disputed in Argentina had to be shut down yesterday due to it using a login and password of ‘admin’. Last, in looking at our own Cyber Risk Analytics ratings for Equifax, they have been rated below a full star for well over a year. We take data from numerous sources to calculate a rating which can be used to better understand the cyber hygiene of an organization and the likelihood of a future data breach. Given everything that we know and can easily see about their history, it isn’t a shock that Equifax has had yet another data breach.

    Regardless of the subsequent fallout, it is absolutely great that the public knows how Equifax was compromised. That is a missing bit of information in a large majority of breaches, yet one data point that could better help other companies know which vulnerabilities are being actively targeted, and help prioritize remediation efforts.

    Curious Relationship Between FireEye/Mandiant and Equifax

    Finally, ZDNet reports that Equifax has enlisted FireEye-owned Mandiant for its incident response to this breach. This is another curious move since Equifax’s CSO was quoted in 2012 saying the  “zero-day and targeted attacks that evade some of the simpler defenses are where you are going to need a next-generation product [..] by far, FireEye detected and kept us secure from these issues.” In fact, this statement was part of a FireEye whitepaper that was advertised on their site and now have been quickly removed after news of the breach hit.


    While we can only assume that Equifax is still using FireEye products, it does raise an eyebrow about the effectiveness of a product or the deployment when it boasts about stopping “zero-day and targeted attacks” but somehow misses a public remote code execution flaw in a highly deployed web framework.

    If that wasn’t enough oddity for one blog update, Twitter user ‘x0rz’ pointed out that a Mandiant employee appears to have registered “equihax.com two days before Equifax announced the breach publicly. The website currently has nothing on it, but the domain does in fact show it is registered to a “Brandan Schondorfer”, whose LinkedIn profile is now returning a 404. But we can see that Google shows that he is an incident response consultant at Mandiant (a FireEye Company).


    As we continued poking around Google looking at the cached profile, we stumbled across something else interesting! While Brandan’s cached LinkedIn profile currently does not exist anymore, we were able to find his current profile since the LinkedIn URL has the same identifier “44933668” in it. It appears that Brandan has recently renamed his LinkedIn profile to drop his last name:


    Additionally, it seems that Brandan has removed his Twitter account as well as what may be his Facebook account (but oddly, not his MySpace or SoundCloud pages!):


    It’s difficult to say why a Mandiant employee would register that domain without anonymous registration, especially ahead of the public announcement, when Equifax is a customer of theirs. Some have stated that it was possibly to prevent phishing domains from being registered. Others have also jumped in and agreed that Brandan was just performing a rear-guard action, buying up all the domains that others may use to mock Equifax for the breach. But it was also mentioned that he was sloppy by registering under his own name and is probably being mocked at work by his peers as this move required Equifax to disclose who they were using for the incident response.

    Regardless if this was a Mandiant-sanctioned domain registration, based on the name change in the LinkedIn profile and what appears the removing of other social media accounts, it seems that the mistake has been realized.

    While this may seem off topic, a curiosity for any data breach is when did the affected organization actually know about the issue and when did they engage outside assistance. As expected, we can more readily acknowledge with some degree of certainty that FireEye was engaged before the announcement and assisted with the initial assessment.

    Update Roundup

    Five days after any news-saturating breach, we typically get to a point where many of the prior topics covered in this blog begin to be examined in more detail. Like loose threads, various people will follow them and cover each in greater detail, examine additional points, and explore new ideas on the topics. It is easy to go down these rabbit holes because there is often promise of interesting and impactful observations that can help us better understand the situation. Rather than try to visit each of these rabbit holes, we’d like to share some of the updates and new developments in a more succinct manner:

    The story continues with Equifax Breach: Timeline, International, Patching, Gender, PCI, oh my!.