The United States Department of Justice has identified and charged four members of the Chinese military with hacking Equifax to steal private data on over 145 million individuals. The information theft had previously been suspected of being a state actor, as the information has not been located for sale on the dark web.
China has since denied responsibility over the attack through foreign ministry spokesperson Geng Shuang: "The Chinese government, military and relevant personnel never engage in cyber theft of trade secrets."
A crucial distinction for developers and architects is that attribution often does not matter. Once an application is hacked and data is stolen, that data is gone, and the organization that was hacked is financially responsible for any clean-up. The primary areas of focus for software are on detection, knowing when/where security issues or CVEs are, and prevention, to protect and/or patch those security issues.
The hacking quartet had allegedly previously compromised Equifax through their failure to identify and patch a known vulnerability in the Apache Struts library. By failing to update the library in the running application, hackers were able to access the system and move laterally across other environments and ultimately exfiltrate the information. The Apache Software Foundation issued an official statement about the availability of their security patch combined with the failure to utilize the fix, and included recommendations for other organizations who do not wish to be hacked:
- Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting these products and versions.
- Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.
Two sets of tools exist that help development teams identify where these types of vulnerabilities exist in their code. By using both tools, Software Composition Analysis, and Runtime Application Self Protection, development teams can more quickly identify flaws and roll out updates to minimize the window of exposure for vulnerabilities. The four members of China’s military leveraged their heist in the window when the vulnerability became known:
- CVE-2017-5638 was publicly disclosed on March 10, 2017.
- The breach occurred in May, approximately three months after public disclosure.
- Equifax discovered the breach towards the end of July.
- Official statements were released by Equifax and Apache in September.
If the application using the insecure library had been patched following the vulnerability disclosure, this attack would not have worked and determined hackers would have required more effort to locate a different vulnerable path.
Software Composition Analysis (SCA) is a technique that helps teams track where different libraries are used and where CVEs are located. As new vulnerabilities are discovered, these systems will leverage this information to pinpoint which applications need to update which libraries in order to avoid exploitation. Development teams can then update the application’s libraries and roll a patched version into production, typically through CI/CD controls.
The other technique, Runtime Application Self Protection (RASP), offers a mitigating control for organizations that maintain a defense or cannot upgrade the software in a timely manner. Unlike traditional Web Application Firewall (WAF) defenses that are unaware of what they defend, RASP works inside the application to defend APIs with context of what it is defending. Whereas many techniques can bypass WAFs, attacks such as the deserialization work of CVE-2017-5638 are not typically caught by WAFs. Deserialization attacks work by exploiting the object hierarchy and making the runtime execute arbitrary code as part of deserializing the object. While the particular payload used in Equifax is undisclosed, many attackers use tools such as ysoserial or ysoserial.net, as well as GadgetProbe to execute arbitrary commands against Java and .NET applications that deserialize user input. Rather than relying on layer 7 network signatures of an unknown class hierarchy, RASP uses techniques such as instrumentation to monitor inside APIs as data is being deserialized, trapping sensitive methods at the method entry point before the body executes.
Although charges have been filed, it is unclear what the result will be as China does not have an extradition treaty with the United States.