Equihax: fact enabled wild speculation

A timeline and some speculation

Equifax got a lot of bad press for their terrible cybersecurity, which was true in the main but false in the particulars. They were slow to patch, but (if they were using Oracle products) the patch wasn’t available until a month after the compromise. They had a security executive with a degree in music, although she had years of relevant work experience in executive roles for auditing and security. They spent heavily on cyber security fads (next generation security paradigm shifting unknown malware detection; mobile device management solutions to virtualise access to company resources); but they absolutely lacked fundamentals.

Timeline of events:

2017–03–06: Apache announces struts bug

Speculation

What this looks like to me is a bunch of web app hackers who used a fresh PoC exploit to mass hack everything they could find. Then, while going through their hacked logs, they discover they have an interesting victim. They turn their attention to it and start working on getting deeper into the environment (this is around the 13th, so a couple days after they popped a shell). I’m guessing that what happened was they went on a bit of a rampage inside the DMZ area popping all the shells they could. Then assembled some Rube Goldberg webshell machine to exfil data from the various databases, including, apparently, legacy databases.

The important things are always simple. The simple things are always hard. The easy way is always mined. – Murphy’s Laws of Enterprise Information Security.

Questions

  1. If this was a nation state why did it take 3 days from release of the public exploit to compromise Equifax? If they were a target, the software would’ve been mapped during recon and the exploit used immediately.
  2. If this was a nation state, why did it take 3 days from compromise before the data was exfiltrated? Why was the exfiltration done via a network of webshells and not more advanced nation state capabilities? Webshells are noisy and suggest the inability to escalate privileges.
  3. If this was criminals why aren’t they selling the data?
  4. How come Equifax security team didn’t notice the 30 webshells when they patched the compromised boxes 2 months into the breach? They were clearly patching the systems that got hacked, working on systems that were being patched months after a heavily exploited bug was released…didn’t they notice anything unusual at all? Like huge access.log files? Or 30 webshells?
  5. Why did Equifax discover the compromise on a weekend at the end of the month, rather than during business hours? This suggests it was a web developer or sys admin updating the website for a fall season promotion, rather than a routine part of the infosec group’s compromise detection/threat hunting/looking for 30 webshells…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store