1) The Equifax cyber attack compromised the personal information of around 143 million customers by exploiting a vulnerability in the Apache Struts framework that allows remote code execution. 2) The attack occurred from mid-May to July 2017 before it was detected, and shaved $4 billion off Equifax's market capitalization, around 25% of its total value. 3) Using containers may have helped prevent the Equifax attack by isolating vulnerable applications and limiting an attacker's ability to access additional internal resources and exfiltrate sensitive personal information if the vulnerable web application was contained.

1. Equifax Cyber Attack
Contained By Containers
Benjy Portnoy, CISSP, CISA
DevSecOps, Aqua Security
@AquaSecTeam

4. • ~143 M customers impacted
• Attack occurred from mid May to July prior to detection
• Equifax hack shaved $4B, or about 25% of the company market cap

5. Equifax Attack Success Criteria
1. Compromise Apache Struts server
2. Remain persistent
3. Access additional internal resources
4. Exfiltration of sensitive (PII) data

6. CVE-2017-9805
● Apache Struts framework for dynamic web content
● Allows arbitrary remote code execution
● Weakness is caused by how Xstream deserializes untrusted data
represented as XML

7. If Equifax Were Using Containers

8. Demo Scenario With Containers
• Victim Container
• Running a vulnerable web application, using struts-2.3.24
• Attacker Container
• exploiting CVE-2017-9805 using the victim as target
• Uploads a simple web shell exploit as a web application to the
victim

11. Demo (For Real This Time!)

12. Summary
● Block Image with Struts Vulnerability
● Virtual Patch Patching To Block Exploit
● Prevent Host based DOS Attack
● Situational Awareness

13. Thank You!
Benjy@Aquasec.com
@AquasecTeam