The details of the Equifax breach will unfold slowly over the next several weeks and months. One interesting detail came out recently when the company reported that “an actor interacted with our server on March 10, 2017.” That’s four days after the vulnerability was reported and three days after a researcher released an exploit to the public. So far, it doesn’t look like this was the attack that resulted in the breach. So what happened? Why would a hacker start an attack on Equifax, but not complete it? In this post, I’ll explore some hacking lessons we can take away from the movies.
Think of hacking the way Paul Newman and Jackie Gleason approach pool hustling in the classic film, The Hustler (or Newman and Tom Cruise in the film’s sequel, The Color of Money). The hustler can’t spend every day looking for the richest individual in each town he visits. Instead, he picks a pool hall, loses a couple of games, and sees if he can find a “mark.” In this case, a mark is anyone who appears to have a combination of money and unearned confidence in their pool skills. In other words, someone who is vulnerable to the hustle and worth the hustler’s time in terms of a financial return. The hustler doesn’t care if the mark is a doctor, lawyer, or sanitation engineer. He only wants their money.
In the cyber world, finding a mark is a little different. One way is to use a known exploit for a known vulnerability — like the Struts exploit — and simply “point it” at a range of IP addresses to see which, if any, are vulnerable to the exploit. These are non-targeted attacks; no specific victim is in mind, and those vulnerable servers are the hacker’s marks. He’ll then investigate those and learn more about them. Low value marks — such as schools or libraries — may be ignored, exploited to serve malware, or perhaps incorporated into a botnet. If the mark has high value, like a bank or retailer, the attacker invests more time to exploit the target or sells information about the mark to others.
We often think of attackers selecting high-value targets and focusing their efforts on defeating the target’s defenses. This is undoubtedly true — in many cases. It’s unlikely, for instance, that the Office of Personnel Management breach in 2015 was an accident (the FBI recently arrested a Chinese national in relation to the malware used in the attack) or that Operation Aurora stumbled upon the source code and design documents of leading defense contractors and IT infrastructure providers. In both of these cases, the attacks appear to be directed by nation states for intelligence and industrial/defense espionage. This may be the case with Equifax as well, either through nation states or organized crime.
However, not every attack is targeted. Why? Because not all attackers are part of a well-financed group, and attacking a specific target can be hard work, requiring significant resources. For targeted attacks, hackers and hustlers need to study their targets, conduct reconnaissance on the infrastructure to understand defenses, and/or study social media profiles on specific employees from whom they intend to phish or steal credentials. They don’t get paid for this preparation.
This effort makes sense when the criminals have strategic reasons for targeting a specific organization. However, if they are simply looking for credit card information or other personal data, there may be many targets with lesser defenses. If the attacker, like the pool hustler, is indifferent about whom he steals the information from, it’s only rational to take the easiest path. This is usually a non-targeted attack, simply looking for an easy mark.
Where do hackers find a large quantity of potential victims for publicly available exploits? How about popular open source applications and components? Open source is NOT less secure, nor (frankly) more secure than commercial software. There are, as I’ve written before, characteristics of open source that make vulnerabilities in it particularly attractive to a hacker.
Most organizations do a poor job on the last point, and the criminals know this. The March 10 incident could well have been a hacker searching for a mark. Once found, it could have been noted and sold to other hackers, or it could have alerted the successful attacker to the attack vector exploited later. Perhaps it was even missed that this vulnerable server had a high value. In any case, it was easy to find and exploit.
Once a vulnerability and exploit are released, a race begins between defenders patching vulnerabilities across their environment and attackers looking for easy marks. In Equifax’s case, the attackers won.