Equifax

Overview

The Equifax breach was made public in September of 2017 and exposed the sensitive personal informationof nearly 143 million people. Attackers exploited an Apache Struts vulnerability in Equifax's website to gain access to the company's database, where names, Social Security numbers, birth dates, addresses,and other personal information was harvested. The breach was undetected for several months, which allowed attackers to extract this massive amount of data. Equifax faced criticism for the handling of the breach for a number of reasons. When Equifax had discovered the breach, they failed to report it immediately. Additionally, a number of other poor security practices, such as the use of default passwords, were discovered. This breach in particular raised significant concerns about cybersecurity practices within the finance industry and highlighted the consequences of failing to protect consumer data.

Vulnerability Details

Attackers exploited the vulnerability CVE-2017-5638 in the Apache Struts web application framework. This vulnerability allowed remote attackers to execute arbitrary code on the target server by sending specially crafted HTTP requests containing malicious Content-Type headers, which would then be mishandled by the server. The attackers exploited this exact vulnerability to gain access to Equifax's systems and subsequently exfiltrate sensitive data from the company's databases. This vulnerability's CVSS (Common Vulnerability Scoring System) score was rated a 10, which is the highest score possible, indicating its severity. Despite this severity, Equifax's web server would still be vulnerable two months later after its discovery, ultimately leading to the breach.

Lab Terminal

In this terminal activity, students will examine how a single unpatched web application vulnerability can lead to a large-scale data breach, using the 2017 Equifax incident as context. The exercise focuses on exploiting an Apache Struts flaw similar to the one attackers used to gain access to Equifax's databases and exfiltrate sensitive personal information. Students will interact with a simulated Apache Tomcat server, send test packets to verify connectivity, analyze exploit code, and execute the provided script to observe privilege escalation. By reviewing outputs such as the result of the whoami command, students will see firsthand how an attacker can obtain unauthorized access to backend systems. This activity reinforces the importance of timely patch management, secure software configuration, and regular vulnerability testing to prevent breaches that can compromise millions of records.

Instructions:

  • Use the help command to explore available commands.
  • Assume we know the Apache Tomcat server to be running at the local IP address 192.168.1.58 on port 8443.
  • First, send a test packet to the web server and confirm the response: curl --location --request GET https://192.168.1.58:8443/struts2-showcase/showcase.action -k -I.
  • Examine the exploit code snippet that is used within the script: cat exploit.txt.
  • Run the exploit script and view the outputs:
    • ./runexploit.sh pwd
    • ./runexploit.sh ls
    • ./runexploit.sh whoami.
  • Think about the significance of the output of the whoami command in particular.

Review Questions

What is Apache Struts?
A critical vulnerability is found in software that your organization uses. When should you update to the latest secure patch?
Why is it important to act immediately upon the discovery of a breach?
What did the Apache Struts Vulnerability CVE-2017-5638 take advantage of?
What are examples of sensitive personal information?