- The Washington Times - Wednesday, April 18, 2018

The software vulnerability used to breach Equifax last year was harnessed months earlier by a state-sponsored hacking group attempting to breach the U.S. Department of Defense, a senior National Security Agency official said Tuesday.

A nation-state probed the Pentagon’s computer systems within a day of details emerging about the vulnerability subsequently exploited to steal the personal information millions of Americans in the Equifax breach, NSA official David Hogue said at the RSA security conference in San Francisco, CyberScoop first reported.

“The vulnerability that took down Equifax last year when it was released in March, we had a nation-state actor within 24 hours scanning looking for unpatched servers within the DoD,” said Mr. Hogue, a senior technical director for the NSA’s Cybersecurity Threat Operations Center (NCTOC), according to CyberScoop.

“Within 24 hours I would say of whenever an exploit or vulnerability is released, it is weaponized and used against us,” Mr. Hogue added.

One of the nation’s largest credit reporting agencies, Equifax revealed in September that personal information relating to 143 million Americans was stolen as a result of a data breach that involved exploiting a vulnerable version of Apache Struts, an open-source software package installed on Equifax’s online dispute portal.



The U.S. Department of Homeland Security disclosed the Struts vulnerability in early March in tandem with Apache’s release of a security update that patched the product, but Equifax continued to keep a vulnerable version online and was hacked months later between May and July, a review of the breach concluded.

Addressing attendees at RSA, Mr. Hogue said that most of the incidents witnessed at the NSA involve cases where security patches were wrongly applied, as opposed to incidents where hackers exploited “zero day” vulnerabilities, or previously undisclosed vulnerabilities revealed before an update has been made available, CyberScoop reported.

“At NSA we have not responded to an intrusion response that’s used a zero day vulnerability in over 24 months,” Mr. Hogue said, according to the report. “The majority of incidents we see are a result of hardware and software updates that are not applying.”

Eighty-six percent of nearly 20,000 vulnerabilities analyzed for a report released by software provider Flexera this month were issued security updates on the same day the bugs were disclosed, according to the study. A report published last year by the RAND Corp., meanwhile, found that an average of 6.9 years passes by between the time a vulnerability is discovered and the moment it’s disclosed publicly.

Sign up for Daily Newsletters

Manage Newsletters

Copyright © 2020 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.

 

Click to Read More and View Comments

Click to Hide