Here we go again: Yet another major breach exploiting a well-known vulnerability to which a patch was available long before the attack!
Criminals who potentially gained access to the personal data of up to 143 million Equifax costumers, exploited an Apache Struts CVE-2017-5638 vulnerability. The stolen data may include Social Security numbers, birth dates, driver’s licenses, addresses and 209,000 credit card numbers – all of which may now be putting these folks at identity theft risk for the rest of their lives.
Apache Struts is a widely used open source component – a framework for Web servers – used by companies in commercial and in-house systems to take in and serve up data. The use case of this open-source component makes it a prime target for cyberattacks.
The suspected vulnerability was disclosed on March 7 and the patch was available at the SAME time. But this is not a novelty. In fact, the availability of patches at the time of disclosure of vulnerabilities is a very common. According to Flexera Vulnerability Review 2017, patches were available at the time of disclosure for 81 percent of the vulnerabilities on 2016.
The real problem is that it takes users much longer to patch vulnerabilities than it takes hackers to start exploiting them. This is not an isolated case. Just remember the consequences of the WannaCry attacks back in May. These examples show that organisations continue to leave a wide-open window of opportunity for hackers to take advantage of.
The cause of this problem is that organisations aren’t prepared to act timely on vulnerabilities – and this is the important point which is probably being forgotten while the Equifax breach makes headlines: Equifax has already identified the breach and is taking care of it, but they are probably just the first known victims.
“Equifax is probably just the first known victim,” said Jeff Luszcz, Vice President of Product Management at Flexera.” Once a case like this hits the news, it ignites the fire in the cybercrime community and hackers start poking around for new opportunities. We should expect a long tail of incidents and breaches in the months – and potentially years – to come. As we still see attacks targeting Heartbleed, a vulnerability more than three years old.”
This episode is an important reminder for business leaders that it’s urgent to radically rethink the organisation’s vision of cybersecurity. The incidents we see day-in, day-out in the news reveal that it’s the neglection of basic security best practices and poor integration of security policies into operations processes that makes it easy for hackers to be successful in their attacks – and makes it hard for security professionals to stop the attacks.
“Patching this type of vulnerability is certainly not as simple as patching a desktop application,” said Kasper Lindgaard, Senior Director of Secunia Research at Flexera. “When it comes to vulnerabilities affecting the software supply chain, it’s important to align software design and engineering, operational and security requirements. This isn’t an easy task. However, the time frames of initial disclosure of the vulnerability and its patch on March 7 – up to two months before the first reported unauthorised access at Equifax, and the further delay of the actual detection of the breach on July 29 – currently indicates that the vulnerability was not handled with the priority that it should have. This is a common issue across industries that business leaders need to address rather sooner than later.”
This attack highlights the need for organisations to identify their risk windows and implement strategies to reduce the risks of a breach like the one affecting Equifax.
Flexera is uniquely positioned to help organisations, software suppliers and buyers address the challenges that give hackers these large windows of opportunity. The company enables them track the open source components in their systems, and provides timely vulnerability intelligence for understanding risk and prioritisation – with tools to simply the processes of remediation.