Equifax on FreeBuf.com, a Chinese security websiteEquifax on FreeBuf.com, a Chinese security website

Equifax Inc. is a consumer credit
reporting agency. Equifax collects the information on over 800 million individual
consumers and more than 88 million businesses worldwide like Business Firms,
Banks, lenders etc. for free and process those data and sell the processed
information back to them. Along with other 2, viz. Experian and TransUnion,
Equifax is the 3rd largest credit reporting agency.

In September 2017, Equifax reported a massive data breach. It claims the
breach has taken place in between mid-May and July 2017, a cyber-security
breach that compromised the most sensitive personal and financial data of more
than 145.5 million users. The data reveled in the hack includes names, Social
Security numbers, birth dates, addresses, and, in some cases, driver license

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now


Nike Zheng, a Chinese cybersecurity researcher from Shanghai, exposed
a flaw in the Apache software package, Apache Struts. In merely a day interval
(Zero-day Exploit), the information was provided on FreeBuf.com, a Chinese
security website and soon on Metasploit, a popular free hacking tool. On March
10, hackers came to know about Equifax’s vulnerability. And soon hackers
penetrated Equifax’s security. The hackers were finally noticed on July 29
2017, but by that time the breach was so deeply embedded that the company was
forced to take the consumer complaint portal offline for 11 days during which
the security team found and closed the backdoors the intruders had set up.


1) Discuss the type of security properties that were either
1) broken by adversaries, or 2) were missing from systems that allowed the
issue to occur.

Based upon the information provided by Nike Zheng, Apache has
corrected the flaw in its software package which carries the code “CVE-2017-5638”,
a patch for the vulnerability was released on March 7 2017. Equifax stated that
the breach was expedited using this flaw in Apache Struts software package. The
security patch was released on March 7th, but the company ignored to
apply the security patch, which resulted in a massive data breach. This was not
the only attributable cause for the breach: other factors included the insecure
network design which lacked sufficient segmentation which can easily be
prevented and potentially inadequate encryption of personally identifiable
information (PII), and ineffective breach detection mechanisms.


2) Discuss the power of the adversary that seemingly attacked
the system (or was believed to have attacked the system). Try and estimate a
dollar figure to determine how much it cost to launch the attack, and the level
of expertise required by the attackers, and the number of the attackers. If the
attack required specialized equipment of access, denote these, and then try and
estimate the cost.

Based upon the nature of attack it’s difficult to pin point on
particular perpetrator. The attackers were really smart in a way to avoided
using such tools that investigators can easily use to track the known groups. One
of the hacker’s favorite hacking tool “China Chopper” has a Chinese
interface, but this tool is also used outside of china, as identified by the people
familiar with this malware suggested. Many of the tools used were Chinese, and Equifax
breach has the similar fingerprint of data security invasion in recent years, which
is ultimately repudiated to hackers working for Chinese intelligence. Federal
Bureau of Investigation and U.S. intelligence agencies stated that it might be
a nation-state wide planned breach, but that it doesn’t point to China. Mandiant,
the security consulting firm hired by Equifax to investigate the breach, said
in a report distributed to Equifax clients on Sept. 19 that it didn’t have
enough data to identify either the attackers or their country of origin. As the
adversaries are so expert that they didn’t leave any backtrack, which conveys
that they are expert in breaching the security networks and were expert in
programming as well.


Based upon the known facts, it’s not yet
possible to estimate the cost to launch the attack as the use of Apache
Software Struts package is licensed free, the tools like Metasploit and
ChinaChopper are freely distributed tools and we also don’t have any clue about
the number of attackers or whether a nation-state has played any role in this