How Equifax got Hacked

by AKM

Posted on September 14, 2017 at 12:19 PM

Origins of the breach

For those who don't know already, Equifax was recently hacked and many are wondering who was behind it. Some readers are probably wondering what Equifax even is, it is the oldest of the three largest American credit agencies. Equifax' revenue is within the billions range and so this is a very big deal. Not only that but since it's a credit agency, it contains sensitive information such as Social Security Numbers. 143 million credit records are said to have been retrieved by the hackers (not to mention 200 million credit card details). Most of which are Americans, 44 million records are said to be from Britain, and a lot from Canada too.

Identity of the Hackers involved

That picture above is taken from one of Equifax' servers. The hackers that were involved sent us some samples of how the breach occurred, methods, etc. From what we've analyzed, Equifax should be blamed for the entirety of the entire data breach. Here's why, none of their so called "management panels" were secured. In an article written by Brian Krebs, he details how one of these panels used the username and password of admin:admin. What kind of credit agency of such value has the audacity to be doing shit like this? No. It is 2017, unacceptable.

If that image of one of the panels doesn't scare you, I don't know what will. The amount of data that is out in the open right now on all these Equifax consumers is mind blowing. An agency, that's worth billions, deals with this volume of information, is allowed to be pwned by simple panel exploits. The hackers that were responsible made this statement:

"if I have to release the information and make it public for these companies to finally acknowledge and admit their fuck ups (maybe not blame on apache flaw either) then I will"

Not just a flaw in apache, but also other tactics were used to bypass the WAF. What was most difficult would have been to locate the servers themselves to exploit. I did some digging and found out that some of these panels can be located on Shodan. The hackers let me know that none of the panels were the same. They also said in response that Equifax has already began shutting down some of the panels, and that one of them was shut down because of Krebs.

The hackers responsible also started a hidden service for when the data will be released/sold. It appears to mock the other group of hoax hackers spotted previously asking for bitcoin, they briefly mentioned how they are following the false hackers' footsteps. The hidden service or onion (Tor is required to visit the site) is currently located at equihxbdrjn5czx2.onion. I asked if they are doing all of this for money/ransom and they responded with this:

"No. we only felt the need to add the bitcoin funding to gather more media attention to the fact that Equifax has been Equihax'd"

The Hacked Panels

Upon further investigation, the hackers sent me more samples to verify that indeed, it was them that did all of this. They had access to numerous of these panels that all were in charge of something different. Some panels were for credit reports, others were made for analytics. What was more surprising within these panels was a common reference to subdomains on equifax.com, a bunch of switchboards, and something called "bumblebee". The thing was, all of them were vulnerable to the similar exploits, which made accessing them a breeze. Here are some pictures of each one of the panels:

Your Data

I wanted to know if they also had access to the database itself to ultimately prove whether it was them. This is a very big digital heist, you must always verify if they're the person they claim to be. I asked them to send me a couple more samples of the real sensitive data, and they complied.

The data had been verified using Equifax own TrustedID Premier located here. The other picture I had supplied above is basically what the database contains on 143 million people. It's all legit. So, what happens now? Well, with this type of data anyone can commit identity fraud on a whole different level. Genuinely speaking, this data is very dangerous. If these hackers decide to leak the data, its catastrophic. Now, I would not blame the hackers, not one bit. Seriously. If you want to play the blame game, all fingers pointed at Equifax, they Equifucked your credit.

Conclusion to this fine mess.

I asked the hackers one last request before disconnecting. I asked, "How did you manage to get the passwords to some of the databases?" Surely the panels had really bad security but what about the other sections to them? Surely there was encrypted data stored within these large archives no? Yes. There was. But guess where they decided to keep the private keys? Embedded within the panels themselves. The picture above shows exactly that, all the keys stored nicely, alongside any sub companies to Equifax. All pwned.

After Equifax noticed the breach, right away they started pulling the plug on some of their servers. From one of the main panels they forgot to pull, which managed all the others; You can see each one of the servers losing connection to the main. Eventually the main also went offline. There are some real questions that come out of this, like why were all these servers accessible by anyone on the internet? Why were default passwords used? What type of security team within a credit agency would allow these practices? Not only that but let us not forget that there were reports of Equifax employees selling their stocks right before the breach happened. There are possibilities here that this was indeed, an inside job.