Security Bulletin: Equifax Breach

ATTENTION ONLINE AND SELF-PROCESSING CREDIT UNIONS

By now you have heard about the breach at Equifax that exposed the personal information of over 145 million consumers. This Bulletin addresses the technical vulnerability that is believed to be the cause of the Equifax breach, namely the use of unpatched software known as Apache Struts.

What is WannaCry? Apache Struts is an open-source web framework for developing Java web applications.
Does CU*Answers use Apache Struts? CU*Answers does not use Apache Struts in our web applications.  Therefore, our network is not vulnerable to the same attack that compromised Equifax.

Additionally, we have scanned our network to confirm it is not in use and our firewalls are configured to block attack attempts against Apache Struts that may be aimed at our networks.

What do I need to do? Most credit unions would not use this technology, but have your IT department confirm it is not in use on your network.

CU*Answers Network Services does NOT use this technology in Complete Care managed networks.

If your IT department confirms it is in use, follow these guidelines:

  1. Apply patches as soon as possible.  Monitor the Apache Struts project (struts.apache.org) and apply security updates as they become available.
  2. Configure your intrusion prevention system to block attacks against Apache Struts.
  3. Run up-to-date anti-virus software on every computer.
  4. Maintain backups.  Up-to date backups can help you recover quickly if your server becomes compromised.
  5. Monitor the US Computer Emergency Readiness Team (CERT) (us-cert.gov) alerts for vulnerabilities that affect your network.

If you have any questions, contact the Help Desk