Report Finds Hackers Made 9,000 Unauthorized Database Queries in Equifax Breach

The latest report from the U.S. Government Accountability Office (GAO) claims it took Equifax 76 days to detect the massive 2017 data breach, despite hackers having made over 9,000 unauthorized queries on its databases.

Last May, malicious actors exploited a known security vulnerability within the Apache Struts development framework (specifically Apache Struts CVE-2017-5638) in order to gain unauthorized access into Equifax systems. The attackers managed to get away with the personally identifiable information (PII) belonging to over 145 million customers, the majority of which residing in the U.S., and a small number within the UK and Canada. Those impacted by this breach had their Social Security numbers, birth dates, email addresses, addresses, drivers license numbers, payment information, and other data compromised in the attack.

Now, just over a year after the breach went public, the GAO has published a detailed report of its investigation. The report claims hackers began scanning the company’s systems just days after the security vulnerability was made public. One system affected in the attack as an online dispute portal, whereby the hackers were able to successfully execute system-level commands and query tens of databases to find PII. The GAO claims the hackers executed over 9,000 database queries, some of which returned personal information.

Not only did Equifax’s security team fail to detect the Struts vulnerability within the online portal, they even failed to detect the attackers once they successfully gained access. The breach was ultimately discovered by a network administrator conducting routing checks of the operating systems and configuration of IT systems. During the routine check, he discovered a misconfigured piece of equipment that allowed the attackers to communicate with compromised servers and compromise data belonging to 145 million customers without detection. Specifically, while Equifax had installed a device to inspect network traffic or evidence of malicious activity, a misconfiguration allowed encrypted traffic to travel through the network without being inspected.

The misconfiguration was caused by a digital certificate that expired 10 months prior to the massive breach, which allowed hackers to run commands and exfiltrate data over an encrypted connection without detection.

The investigation into the breach revealed that Equifax failed to implement proper network segmentation, which allowed the attackers to access several other databases beyond those related to the online portal dispute they originally hacked. A second problem highlighted in the report is that credentials for accessing multiple databases were stored in one database without being encrypted. The GAO also pointed out that the 9,000 queries run by the hackers showed the lack of restrictions for the frequency of database queries; measures should have been implemented to limit this number.

In addition to the GAO’s recommended security best practices, NNT recommends hardening all systems from the start in order to maintain system integrity. Hardening your systems allows your organization to eliminate or mitigate all known security vulnerabilities hacking them hack-proof. Maintaining a hardened environment and vulnerability management are closely linked to tight change control. Any change made to your configurations could introduce vulnerabilities into your IT environment so visibility and control of changes is an essential security best practice.

The NNT recommended Change Control process starts by introducing NNT Change Tracker Gen7 into the IT environment, but for the best results, we highly suggest the inclusion of NNT FAST Cloud (File Approved Safe Technology). FAST Cloud leveraged external intelligence and whitelisted facilities to automatically approve the validity of file changes as they occur, significantly reducing the amount of ‘change noise’ often associated with change control.

If you’re interested in learning more about the NNT recommended change control program, click here: https://www.newnettechnologies.com/nnt-recommended-change-control-program.html

 

 

Cloud and Container Security
The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
Information
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.