An Update on the Equifax Data Breach

An Update on the Equifax Data Breach
Digital Shadows Analyst Team
Read More From Digital Shadows Analyst Team
September 13, 2017 | 8 Min Read

The credit reporting agency Equifax reported on September 7th, that it had been breached. On Friday, we outlined what we knew at the time, which was replete with intelligence gaps. Five days have gone by and some of these gaps have now been filled in. Here’s what we know so far, and what we can learn from the Equifax breach.

Equifax Timeline

Figure 1 – Timeline of events surrounding Equifax breach

RECENT DEVELOPMENTS

Threat Actor Claims

There have been at least two claims made by financially-motivated threat actors. One actor had made an extortion attempt and claimed to possess the data, the other offered web shell access to an Equifax server. The credibility of either of the claims was unknown and based on the available evidence the likelihood they were genuine could not be judged.

1. Extortion attempt

A Tor hidden service was established around September 8th on which claims were made the owners had compromised the Equifax data and were trying to monetize it. They valued the data at 600 Bitcoin (USD 2.7 million), alleging Equifax executives had amassed USD 3 million in shares by conducting insider trading prior to alerting the public to the breach incident. The operators of the hidden service set a deadline of September 15th for this ransom demand, claiming they would delete the data they possessed if it was paid. If no ransom was paid, the actors said the data would be released publicly. At the time of writing these claims were not confirmed, the site was no longer reachable and the email address had been disabled.

Equifax Statement on Tor site

Figure 2 – Statement on Tor hidden service

On September 11th, an actor using using the same nickname – “pasthole” – claimed on Pastebin that a portion of the data was sold to an unidentified buyer. The actor also said they were responsible for the Tor hidden service previously used to announce an extortion attempt against Equifax. An email address and PGP key provided in the post provided no direct links between the now-offline Tor hidden service and the Pastebin post. None of the claims in this post could be substantiated at the time of writing.

2. Web shell access offered for sale

On September 8th, an actor known as “1×0123” claimed to have gained web shell access to an Equifax server, and subsequently offered this access for sale. In their initial post to their Twitter account, 1×0123 posted a screenshot of what appeared to be a listing of Equifax subdomains allegedly being accessed via the Equifax website. In a follow up post, 1×0123 then claimed to offer access to the web shell in exchange for 1 Bitcoin (BTC) and supplied a Jabber ID for contact. Based on 1×0123’s screenshot, it appeared as though they used the WSO web shell, which is a popular tool among certain hacking communities. We did not detect any evidence of authenticity for the alleged web shell access. The screenshot below shows the post made by the actor, who redacted the screenshot.

Equifax 1x0123 claim

Figure 3 – Claim made by 1×0123 

Apache Struts Touted As The Web Application Vulnerability

In its breach disclosure, Equifax originally stated a web application vulnerability had been exploited which resulted in the data breach. There have been allegations this vulnerability affected Apache Struts reported in the media. This was following publication of an equity research report by Robert W. Baird & Co., which claimed an Equifax representative had told them Apache Struts was exploited to access the compromised information. None of this information could be confirmed at the time of writing.

Criticisms Leveled Towards Equifax’s Response

1. Executives sold shares prior to disclosure

Three Equifax Inc. senior executives were reported to have sold shares collectively worth almost USD 1.8 million shortly after the company discovered the security breach on July 29th. The timing of these sales has led some to question whether the individuals had dumped the shares as a result of the breach. Equifax, however, said the executives had not been informed of the breach incident prior to them selling the shares.

2. Equifax data breach checker

Equifax released a service designed to allow individuals to check whether they were implicated in the data breach, but following this there were multiple reports that it was returning incorrect results. A test conducted by the media outlet ZDNet used fake names and social security numbers that returned the result “may have been impacted”. Equifax acknowledged that some consumers who visited the website shortly after it was launched may not have received confirmation they were impacted. It was not known whether the breach checker functioned correctly at the time of writing.

3. Legal updates

Following complaints from consumer advocates in relation to Equifax’s terms of service, the company announced that using its TrustID monitoring service would not result in a user forfeiting their right to join a class action law suit against the company in relation to the breach incident.

On September 8th, The Register also reported two class action lawsuits had been filed against the company, in Portland, Oregon and North Georgia US District Courts. The lawsuits saw Equifax accused of negligence and violations of the U.S. Fair Credit Reporting Act. The complaint filed in Oregon reportedly sought USD 70 billion in damages for residents of that state alone.

PLENTY OF INTELLIGENCE GAPS REMAIN

1. At the time of writing, it was not known exactly how many individuals were impacted by this data breach
2. Despite the claims made by two threat actors, the individual(s) responsible for this breach and their motivations were unknown
3. Although Equifax stated a web application vulnerability was exploited, the exact vulnerability exploited is not known.

THE IMPACT TO EQUIFAX AND INDIVIDUALS

The breach has had a demonstrably negative impact to Equifax, both in relation to its reputation and its finances. As of September 13th, Equifax stock (EFX) is down $31.16 per share ( since the announcement of the breach. Data breaches frequently increase the amount of scrutiny around a company’s security posture, but the reporting on managers selling their shares, lawsuits and the way Equifax responded to the breach all likely degraded its brand reputation.

The impact of this data breach to individuals largely depends on the motivation of the actors that gained access to it. For financially motivated actors, the exposed information would almost certainly be of high value as part of fraudulent activity; payment card details can be used to make fraudulent purchases, while personally identifiable information (PII) can be used in identity theft. This kind of data is also frequently offered for sale or traded on criminal locations, showing another potential means of profit. The New York Post published an article on September 8th, which said payment card fraud had “unexpectedly” spiked in August 2017. The article cited the co-founder of a fraud prevention service called Forter, who assessed the spike was likely tied to the Equifax breach. The co-founder, Liron Damri, reportedly claimed a 15 percent increase in fraud attempts was detected in August 2017. At the time of writing, there was insufficient evidence to confirm a link between the Equifax breach and the increased fraud levels.

While debate continues as to whether this was a “zero day” exploit targeting a previously unknown vulnerability or a lapse in patching which caused the breach, the exact nature of the exploit is largely a side-show. The attack lifecycle describes a number of different stages that an attacker needs to traverse in order to successfully achieve its goals:

1. Initial Reconnaissance
2. Initial Compromise
3. Establish Foothold
4. Escalate Privileges
5. Internal Recon
6. Move Laterally
7. Maintain presence
8. Complete Mission

The successful exploitation of the Apache Struts server merely compromises one of the eight steps, in particular the third one: “Establish Foothold”.

In order to effectively defend against attackers, an organization must have prevention and detection mechanisms operating at all stages of the attack lifecycle. It cannot be assumed that patching a particular web application framework against security vulnerabilities is sufficient.

Assuming that attackers are able to penetrate the perimeter of an organization is the “assume breach” model and is an essential part of a mature organization’s approach. In brief, it states that a defender should assume that attackers have already breached their outer defenses and are moving within the organization’s internal network. This corresponds to steps four through eight of the attack lifecycle. A defender can effectively respond to such an intrusion by exercising the principle of least privilege to reduce potential privilege escalation vectors, limiting opportunities for an attack to move laterally within an organization and detecting abnormal behavior, hunt for the introduction of persistence mechanisms and monitor the network for suspiciously large transfers to unknown systems outside of the organization.

Combining these techniques is called “defense in depth” and allows an organization to be robust against attackers wielding zero day exploits.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Tags:

Related Posts

Cybersecurity Awareness Month: Week 2 – Security Devices at Home and Work

Cybersecurity Awareness Month: Week 2 – Security Devices at Home and Work

October 14, 2020 | 7 Min Read

This week, National Cyber Security Awareness...
Clickbait to Checkmate: SMS-based scam targets US smartphones and accesses victim locations

Clickbait to Checkmate: SMS-based scam targets US smartphones and accesses victim locations

October 13, 2020 | 11 Min Read

Since the start of the COVID-19 pandemic,...
Help your development teams keep their keys safe

Help your development teams keep their keys safe

October 7, 2020 | 3 Min Read

Modern development practices are a blessing...
Four Ways to Validate Credentials in SearchLight

Four Ways to Validate Credentials in SearchLight

September 29, 2020 | 3 Min Read

Amid the billions of credentials that are...
Access Keys Exposed: More Than 40% Are For Database Stores

Access Keys Exposed: More Than 40% Are For Database Stores

September 14, 2020 | 6 Min Read

By now, we’ve all heard news about AWS...
Validate Exposed Credentials with Okta to Save Even More Time

Validate Exposed Credentials with Okta to Save Even More Time

August 24, 2020 | 3 Min Read

SearchLight customers can now automatically...
Account takeover: Expanding on impact

Account takeover: Expanding on impact

July 27, 2020 | 7 Min Read

Digital Shadows has collected over 15 billion...
SearchLight’s Credential Validation: Only Focus on What Matters

SearchLight’s Credential Validation: Only Focus on What Matters

July 14, 2020 | 4 Min Read

Of the many use cases associated with threat...
Reducing technical leakage: Detecting software exposure from the outside-in

Reducing technical leakage: Detecting software exposure from the outside-in

June 16, 2020 | 6 Min Read

Modern Development Practices Leads to...
The 2020 Verizon Data Breach Investigations Report: One CISO’s View

The 2020 Verizon Data Breach Investigations Report: One CISO’s View

May 19, 2020 | 6 Min Read

Sadly, Marvel’s Black Widow release date was...
A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

May 14, 2020 | 10 Min Read

Q1 2020 was packed full of significant...
How to minimize cybersecurity breaches in 2020

How to minimize cybersecurity breaches in 2020

April 8, 2020 | 9 Min Read

Seriously, don’t click back or close – I...
COVID-19: Third-party risks to businesses

COVID-19: Third-party risks to businesses

March 31, 2020 | 5 Min Read

As social distancing becomes more prevalent...
Threat Model of a Remote Worker

Threat Model of a Remote Worker

March 25, 2020 | 7 Min Read

Threat models are an often discussed but...
Want to Control Your Ever-Changing Perimeter? Focus on Integrations.

Want to Control Your Ever-Changing Perimeter? Focus on Integrations.

March 4, 2020 | 5 Min Read

An ever changing perimeter? Over the past few...
How Digital Shadows Helped Find and Remediate an Exposed Admin Password on Github

How Digital Shadows Helped Find and Remediate an Exposed Admin Password on Github

January 23, 2020 | 5 Min Read

  I often get asked to share examples of...
Third Party Risk: 4 ways to manage your security ecosystem

Third Party Risk: 4 ways to manage your security ecosystem

January 16, 2020 | 5 Min Read

  The digital economy has multiplied the...
2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

December 18, 2019 | 10 Min Read

  If all the holiday fuss isn’t...
2.3 billion files exposed across online file storage technologies

2.3 billion files exposed across online file storage technologies

December 3, 2019 | 17 Min Read

Originally published May 2019 2.3 billion is a...
Understanding the Consequences of Data Leakage through History

Understanding the Consequences of Data Leakage through History

October 24, 2019 | 4 Min Read

One of the most interesting aspects of...
Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

October 17, 2019 | 9 Min Read

Honeypots can be useful tools for gathering...
ANU Breach Report: Mapping to Mitre ATT&CK Framework

ANU Breach Report: Mapping to Mitre ATT&CK Framework

October 11, 2019 | 14 Min Read

Introduction This week, the Australian National...
DevSecOps: Continued Database Exposures Point to Growing Challenges

DevSecOps: Continued Database Exposures Point to Growing Challenges

September 24, 2019 | 5 Min Read

Last week, we learned that millions of...
Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

September 17, 2019 | 8 Min Read

Data breaches are not slowing down. Nobody...
Capital One Breach: What we know and what you can do

Capital One Breach: What we know and what you can do

July 31, 2019 | 5 Min Read

Monday blues. It’s a thing. It’s when you...
Harnessing Exposed Data to Enhance Cyber Intelligence

Harnessing Exposed Data to Enhance Cyber Intelligence

July 11, 2019 | 7 Min Read

  An illicit and lucrative trade has...
Leaky SMB File Shares – So Many Bytes!

Leaky SMB File Shares – So Many Bytes!

June 19, 2019 | 5 Min Read

Everyone loves a sequel. If you’re an avid...
Managing Digital Risk: 4 Steps to Take

Managing Digital Risk: 4 Steps to Take

June 18, 2019 | 9 Min Read

Organizations are finding it increasingly...
Enabling Soi Dog’s Digital Transformation: A Case Study

Enabling Soi Dog’s Digital Transformation: A Case Study

May 8, 2019 | 3 Min Read

At the beginning of this year I was introduced to...
Reducing your attack surface

Reducing your attack surface

April 9, 2019 | 4 Min Read

What is an attack surface According to OWASP, an...
Detecting Exposed Company Data: The What, Why, and How

Detecting Exposed Company Data: The What, Why, and How

March 12, 2019 | 3 Min Read

What is data loss detection? A fundamental...
Introducing Our Practical Guide to Reducing Digital Risk

Introducing Our Practical Guide to Reducing Digital Risk

February 12, 2019 | 5 Min Read

Download a copy of A Practical Guide to Reducing...
Understanding Digital Risk Protection

Understanding Digital Risk Protection

February 8, 2019 | 3 Min Read

There has been a lot of talk recently about...
SingHealth Breach Post-mortem: Key Findings

SingHealth Breach Post-mortem: Key Findings

January 29, 2019 | 5 Min Read

On 10 January 2019, Singaporean authorities...
Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

Law Firm Uncovers Exposed Sensitive Details About Top Attorney Online

November 15, 2018 | 2 Min Read

VIPs and executives who are critical to your...
81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

November 2, 2018 | 5 Min Read

This morning, the British Broadcasting...
Cyber Security Awareness Month: Week 1 – Credential Hygiene

Cyber Security Awareness Month: Week 1 – Credential Hygiene

October 3, 2018 | 5 Min Read

It’s the opening week of the annual National...
GAO’s Equifax Post-mortem Report

GAO’s Equifax Post-mortem Report

September 11, 2018 | 5 Min Read

It’s common for the exciting and novel issues...
Digital Shadows Contributes to Insider Threat Research

Digital Shadows Contributes to Insider Threat Research

August 9, 2018 | 5 Min Read

On July 30, Forrester published its latest...
Reducing Your Attack Surface: From a Firehose to a Straw

Reducing Your Attack Surface: From a Firehose to a Straw

July 5, 2018 | 6 Min Read

What is Attack Surface Reduction? Attack Surface...
Keys to the Kingdom: Exposed Security Assessments

Keys to the Kingdom: Exposed Security Assessments

April 24, 2018 | 4 Min Read

Organizations employ external consultants and...
Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

April 18, 2018 | 4 Min Read

For organizations dealing with proprietary...
When There’s No Need to Hack: Exposed Personal Information

When There’s No Need to Hack: Exposed Personal Information

April 17, 2018 | 4 Min Read

With Equifax‘s breach of 145 million records...
Leveraging the 2018 Verizon Data Breach Investigations Report

Leveraging the 2018 Verizon Data Breach Investigations Report

April 10, 2018 | 5 Min Read

Today, the 11th edition of the Verizon Data...
When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

April 5, 2018 | 4 Min Read

Our recent report “Too Much Information”,...
Ransomware in 2018: 4 Things to Look Out For

Ransomware in 2018: 4 Things to Look Out For

March 8, 2018 | 4 Min Read

Ransomware remains an active threat for...
Data Privacy Day: 8 Key Recommendations for GDPR Readiness

Data Privacy Day: 8 Key Recommendations for GDPR Readiness

January 26, 2018 | 4 Min Read

This Sunday is Data Privacy Day, “an...
Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

Don’t Rely on One Star to Manage Digital Risk, The Key is Total Coverage

January 16, 2018 | 5 Min Read

This post originally appeared on...
GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization

GDPR: Why You Need to Consider the Personal Data That Lies Outside of Your Organization

January 4, 2018 | 3 Min Read

In 2010, reports emerged that the Information...
GDPR – Not Just a European Concern

GDPR – Not Just a European Concern

November 20, 2017 | 6 Min Read

This post originally appeared...
Why “Have a Safe Trip” Is Taking On Greater Meaning

Why “Have a Safe Trip” Is Taking On Greater Meaning

November 14, 2017 | 5 Min Read

This post originally appeared...
equifax research report

2017 Equifax Breach: Impact and Lessons Learned

September 28, 2017 | 3 Min Read

Equifax experienced a data breach that occurred...
Equifax Breach Assessment

Equifax Breach: The Impact For Enterprises and Consumers

September 8, 2017 | 9 Min Read

What we know about the Equifax breach On...
Credential Exposure Data Loss Blog

Bitglass: Compromised Credentials are Just One Way Your Corporate Data is Being Exposed

August 18, 2017 | 2 Min Read

A guest blog from Bitglass, read the original...
NIST Authentication

Authentication Nation: 5 Ways NIST is Changing How We Think About Passwords

May 9, 2017 | 4 Min Read

Passwords have taken a beating over the past...
Brand Reputation Digital Risk

The 3 Pillars of Digital Risk Management: Part 3 – The Top 5 Main Risks of Reputational Damage

April 27, 2017 | 2 Min Read

In this 3-part blog series, we discuss how each...
Cyber Threats

The 3 Pillars of Digital Risk Management: Part 1 Understanding Cyber Threats

April 13, 2017 | 3 Min Read

What is Digital Risk Management? The National...
Five Tips To Make Your Passwords Better

Five Tips To Make Your Passwords Better

September 26, 2016 | 4 Min Read

While security is everyone’s responsibility,...
breached data

The Industrialized Uses of Breached Data

September 21, 2016 | 4 Min Read

In our first blog, we outlined a number of...
credential compromise

Beauty and the Breach: Leaked Credentials in Context

September 21, 2016 | 4 Min Read

Our analysts recently researched credential...
New report: 97 percent of the top 1,000 companies suffer from credential compromise

New report: 97 percent of the top 1,000 companies suffer from credential compromise

September 20, 2016 | 2 Min Read

Data breaches and credential compromise are not...
Shadow Brokers

Four Things We’ve Learned From the Alleged Equation Group Code Leak

August 22, 2016 | 4 Min Read

The wake of the deeply bizarre auction of...
Wall of Sheep

Gambling with Security in Vegas: Not Your Best Bet

July 27, 2016 | 4 Min Read

With BSides Las Vegas, Black Hat, and DEF CON...
thedarkoverlord

Thedarkoverlord – losing his patients?

July 26, 2016 | 4 Min Read

In late June 2016, we observed a spate of attacks...
breach disclosure

5 Key Lessons From The FDIC’s Breach Disclosure Debacle

July 18, 2016 | 4 Min Read

Last week, the United States House Science, Space...
thedarkoverlord

10 ways to prepare for credential leak incidents

June 30, 2016 | 2 Min Read

From LinkedIn to MySpace, threat actors like...
OpAfrica

Data breaches targeting financial services: 2016 so far

May 26, 2016 | 3 Min Read

It’s been a busy year for data breaches...
Bozkurt Hackers

Bozkurt Hackers continue to leak bank data

May 13, 2016 | 4 Min Read

A threat actor calling itself “Bozkurt...
DBIR

Analyzing the 2016 Verizon Data Breach Investigations Report

May 2, 2016 | 4 Min Read

Last week Verizon released the 2016 Data Breach...
Hacking Team

The Hacking Team breach – an attacker’s point of view

April 22, 2016 | 3 Min Read

On 17 April 2016, two posts were added to...
ransomware

Emerging Markets: Online Extortion Matures via DDoS Attacks

November 9, 2015 | 5 Min Read

Unlike scenes from books or movies where shadowy...
TalkTalk

TalkTalk: Avoiding The Hype

October 28, 2015 | 4 Min Read

There has been no shortage of media coverage on...
Adult Friend Finder

The Adult Friend Finder Breach: A Recap

September 7, 2015 | 5 Min Read

27th May 2015: Last week, news quickly...
Al Hayat

Saudi Arabia MOFA Breach

September 7, 2015 | 5 Min Read

Introduction As of April 2015 there were more...