Equifax has confirmed that a web server vulnerability in Apache Struts that it failed to fix months ago was to blame for the data breach. The company said that attackers used an Apache Struts security flaw to hack its servers.
Equifax said:
“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
Apache Struts is a free open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers.
This particular vulnerability enables a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data.
The company is currently giving free credit-monitoring and identity theft security services for users who are affected by the massive data breach and has also enabled a security freeze for access to people’s data.
