Last week, Equifax, one of three largest credit reporting agencies in the U.S., announced that hackers had invaded company servers and made off with the private information of more than 143 million customers, The New York Times reported. The revelation shocked most Americans and sent millions running to their computers to initiate credit freezes.
"This is about as bad as it gets," Pamela Dixon, executive director for the nonprofit research firm World Privacy Forum, told the newspaper. "If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent."
Just how did cybercriminals manage to orchestrate this massively disruptive and possibly lucrative attack? It appears they entered Equifax's internal systems via a vulnerability in Apache Struts, according to post-breach research from Baird Equity Research. This is the second large-scale breach incident involving the Java application development framework. Back in March, cybercriminals used an Apache Struts vulnerability to corrupt a number of open-source projects. However, while that attack led to relatively few demonstrable breaches, the strike directed at Equifax has resulted in the leak of an immense amount of information.
"An estimated 65 percent of Fortune 100 enterprises use the vulnerable Apache Struts application development framework."
Addressing widespread risk
While analysts for Baird provided an in-depth look at the hack and discussed the credit reporting firm's response, they did not identify which vulnerability was used to enter its systems. So far this year, data security specialists have pinpointed two separate Apache Struts vulnerabilities, Quartz reported. One of the backdoors has existed since 2008. Both vulnerabilities put Apache Struts users at great risk. What enterprises use the framework to create Java applications? The list is long, according to a recent report from the code review company lgmt.
"At least 65 percent of the Fortune 100 companies are actively using web applications built with the Struts framework," the authors of the report said. "Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader's Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework. This illustrates how widespread the risk is."
Finding a suitable solution
How can organizations like Equifax protect their Java-based builds produced using Apache Struts and other development frameworks? Applying security patches consistently is a viable option. Of course, this is no easy task, as Java gatekeepers like Oracle release new fixes regularly. In the end, abandoning Java altogether is the best option. Moving away from Java on the server is perhaps the best long-term solution, but is costly and will take time.