Saturday, 9 April 2016

Panama Papers: How they hacked!

Email Hackable via WordPress, Docs Hackable via Drupal

The Mossack Fonseca (MF) data breach, aka Panama Papers, is the largest data breach to journalists in history and includes over 4.8 million emails.
Yesterday we broke the story that MF was running WordPress with a vulnerable version of Revolution Slider and the WordPress server was on the same network as their email servers when the breach occurred.

Today we will release new information describing how the attackers may have breached the MF email servers via WordPress and Revolution Slider. We will also summarize below how they probably gained access to client documents via Drupal. We are breaking the story today about the link between WordPress and MF’s email server. The Drupal story has already been covered earlier this week in the media by Forbes (see below), but we are providing some data to support it.
How they hacked email
According to Süddeutsche Zeitung, the German publication that originally received the Panama Papers leak, this is the breakdown of the data structure of the Panama Papers:
Source: Süddeutsche Zeitung
Email is by far the largest chunk of data in the MF breach. Last week MF sent an email to its clients saying that it had experienced unauthorized access of its email servers, confirming that the servers were compromised and making it clear this was in fact a hack.
Yesterday we showed how trivially easy it was to hack into the MF WordPress website via the vulnerable version of Revolution Slider that they were running.
Once you gain access to a WordPress website, you can view the contents of wp-config.php which stores the WordPress database credentials in clear text. The attacker would have used this to access the database.
Our analyst’s research shows that www.mossfon.com is running two plugins in addition to Revolution slider.
To summarize the attackers movement
We think it is likely that an attacker gained access to the MF WordPress website via a well known Revolution Slider vulnerability. This vulnerability is trivially easy to exploit as we demonstrated in our research released yesterday.
This would have given them access to the WordPress database. The research we released today shows that MF are running two additional plugins that store login information for their email server in plain text in the database. The attacker would have read this information from the WordPress database and used it to gain access to the email server.
Conclusion
Yesterday we demonstrated that Mossack Fonseca had a Revolution Slider vulnerability in their WordPress site which probably gave an attacker initial access to their systems including their WordPress database. Today we demonstrated how the attacker could move from their WordPress installation into MF’s email systems and begin to compromise email which formed the bulk of the data breach in the Panama Papers.