Equifax’s Servers Reportedly Had Glaring Holes Long Before Data Breach

Equifax reportedly took six months to take down a publicly exposed web application that could have allowed anyone on the internet to search and download sensitive personal consumer data.

VICE Motherboard reported Thursday that an unnamed security researcher alerted Equifax about the exposed application in December 2016, but the company didn’t take steps to secure it until June.

A month later, in July, Equifax discovered a security breach on a different website—its consumer dispute portal—enabled by a vulnerability left unpatched in Apache Struts. That oversight led to the compromise of personal data of over 145 million Americans.

The unnamed researcher told Motherboard that the exposed application, which was probably intended to be used by employees only, was discovered through forced browsing and didn’t require any authentication. It had various search fields that allowed viewing customer information, the researcher said, adding that it would have taken around 10 minutes to download Equifax’s entire customer base.

The researcher also claimed to have found other Equifax servers vulnerable to SQL injection or running outdated software and even said they gained shell access to some of them.

Motherboard cited unnamed former Equifax employees who confirmed that security was not a top priority at the company and that an outside security audit performed by Deloitte in 2016 revealed patching deficiencies and other problems.

Equifax did not immediately respond to a request for comment.

Bad Rabbit Ransomware Also Spreads Through SMB Exploit

After initial reports that the Bad Rabbit ransomware only spreads on local networks via weak or stolen credentials, security companies have now found evidence that the malware also exploits one of the SMB exploits leaked by Shadow Brokers earlier this year.

This new twist adds to the existing similarities between Bad Rabbit and NotPetya, including at the code level, and enforces the theory that they were created by the same group. However, Bad Rabbit appears to be much more refined than NotPetya and functions as a proper ransomware program, whereas NotPetya had implementation errors that made encrypted data completely unrecoverable.

Researchers from Cisco Systems’ Talos division and antivirus vendor F-Secure confirmed Thursday that Bad Rabbit contains the EternalRomance exploit which targets a vulnerability in the Windows implementation of SMB version 1 (CVE-2017-0144).

The exploit leaked in May by Shadow Brokers was part of a cache of exploits that are widely believed to have been developed by the U.S. National Security Agency.

Microsoft patched EternalRomance along with other SMB exploits (EternalBlue, EternalChampion and EternalSynergy) that were part of the same cache in the MS17-010 security bulletin. Following the NotPetya attacks in June, which exploited EternalBlue in addition to EternalRomance, Microsoft took the unusual step of backporting the MS17-010 patches to Windows XP and other Windows versions that were no longer supported.

“We can be fairly confident that Bad Rabbit includes an EternalRomance implementation used to overwrite a kernel’s session security context to enable it to launch remote services, while in Nyetya [NotPetya] it was used to install the DoublePulsar backdoor,” the Cisco Talos researchers said in an update to their Bad Rabbit analysis. “Both actions are possible due to the fact that EternalRomance allows the attacker to read/write arbitrary data into the kernel memory space.”

Microsoft has been trying for years to get companies to stop using SMBv1 on their networks but, despite these efforts, usage of this old protocol is still widespread. While the spread of Bad Rabbit appears to have slowed down, the outbreak itself should serve as a warning: SMBv1 was written long before there were modern secure programming practices and its code has been a source of serious vulnerabilities for years. It’s very likely that there are many more undiscovered flaws in SMBv1 that could be exploited to launch hybrid ransomware worms.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin