Apache Foundation released a patch for a vulnerability. The patch (CVE 2017-5638) was scored at 10⁄10, which is the highest vulnerability rating.
The Department of Homeland Security sent an email to key stakeholders – like Equifax – ensuring they were aware and working to patch their affected servers.
Equifax begins investigating to identify any servers that could have been affected. They used two vulnerability scanners - an open source product and a commercial purchased solution – that would scan the network and try to find where they were vulnerable. The results came back empty. (One of the reasons the scans would have been empty was because of a misconfiguration in looking at the wrong directory on the servers).
An external attacker exploited the vulnerability by coming in through the firewall over standard web ports, dropping a web shell on the application servers, and effectively creating a backdoor for the attackers. They could then run commands from that application server, look at the file system, and scan other servers on the environment.
The web shell started to look around the file system and found a clear text file containing user names and passwords of various servers in the organization. These credentials allowed them access to data on three ACIS databases, as well as 45 other databases on the network.
Over the span of 76 days, they ran – undetected – 9,000 different queries to these web servers. The attackers uncovered 148 million records of personally identifiable information (PII) data and the web shell was used to exfiltrate that data, slowly trickling it out in 10 MB packages to evade detection.
While the attacker was moving Equifax’s data outside the environment, the IT team looked into their SSL appliance and realized it had expired certificates. Operating in a fail-open state, the SSL appliance was allowing traffic to pass-through, when it should have otherwise detected the exfiltration.
Equifax updated these certificates, and almost immediately saw data leaving their environment, going to 35 different IP addresses in China. This is when the door was opened for the investigation; they shut down the ACIS service and went into breach mode.