Professional Documents
Culture Documents
Panama Papers - How Hackers Breached The Mossack Fonseca Firm - InfoSec Resources
Panama Papers - How Hackers Breached The Mossack Fonseca Firm - InfoSec Resources
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
RETURN HOME
JOB BOARD
TOPICS
CAREERS
HACKING
CONTRIBUTORS
ARCHIVE
ARCHIVE
IT
2014
CERTIFICATIONS
2013
FORENSICS
2012
SECURE
2011
CODING
2010
PENETRATION
TESTING
GENERAL
COMPUTING
POSTED IN HACKING
ON APRIL 20, 2016
INTERVIEWS
VIRTUALIZATION
SECURITY
WIRELESS
SECURITY
SCADA / ICS
SHARE
Ethical
Hacking Boot
Camp
OUR MOST POPULAR COURSE!
SECURITY
CLICK HERE!
REVERSE
ENGINEERING
What's this?
DATA
RECOVERY
EXPLOIT
Access Control
Application Data Security
http://resources.infosecinstitute.com/panamapapershowhackersbreachedthemossackfonsecafirm/
1/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
DEVELOPMENT
MANAGEMENT,
Security Models
Security Policies
Vulnerabilities
COMPLIANCE, &
AUDITING
Introduction
INCIDENT
RESPONSE
It is considered the largest data leaks ever, the entire archive contains more than
SECURITY+
11.5 Million les including 2.6 Terabytes of data related the activities of offshore
shell companies SECURITY
used by the most powerful people around the world, including
72 current and former heads of state.
AWARENESS
PHISHING
http://resources.infosecinstitute.com/panamapapershowhackersbreachedthemossackfonsecafirm/
2/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
3/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
head of state; Ayad Allawi, ex-interim head of state as well as previous vicepresident of Iraq; Petro Poroshenko, head of state of Ukraine; Alaa Mubarak, child
of Egypts previous head of state; as well as the head of state of Iceland,
Sigmundur Dav Gunnlaugsson.
Who is the anonymous source and how did it exltrate the data from the
computers of the company?
According toRamon Fonseca, the condential documents had been obtained
illegally by hackers; likelythe data breach affected an e-mail server of the
company last year.
The media agency El Espanol conrmed this hypothesis; Mossack Fonseca rm
sent an email to its clients announcing that it was investigating the causes of the
data breach and that its taking all necessary steps to prevent it happening
again.
This rm, considered the largest platform gureheads of Latin America and has
http://resources.infosecinstitute.com/panamapapershowhackersbreachedthemossackfonsecafirm/
4/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
http://resources.infosecinstitute.com/panamapapershowhackersbreachedthemossackfonsecafirm/
5/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
They updated the new payment CMS, but forgot to lock the directory /onion/,
hesaidvia the 10123 Twitter prole.
In the past, the same hacker has discovered many other security issues in the
systems of major media outlets, including the LA Times and New York Times. He
also offered for sale the access to insecure systems at NASA.
@10123 also contacted Edward Snowden, notifying him of some bugs on one of
his projects. Snowden acknowledged the bug report on the Freedom of the
Press Foundation website.
http://resources.infosecinstitute.com/panamapapershowhackersbreachedthemossackfonsecafirm/
6/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
7/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
The WP SMTP plugin stores email server address and login information in plain
text in the WordPress database.
Once the attacker had access to WordPress database credentials in the wpcong.php le, he was able to access the mail server.
TheALO EasyMail Newsletter pluginoffers list management functionalities and
needs access to read emails from the email server. Also, in this case, the plugin
stores email server login information in the WordPress database in plain text.
Once the attacker also had access to this data, after gaining access to the
WordPress database via Revolution Slider, they would have been able to signinto the email server and would be able to read emails via POP or IMAP.
Reported Wordfence.
Summarizing, it is likelythat an attacker gained access to the WordPress website
by exploiting a known vulnerability in the Revolution Slider; then he accessed
the database where were stored information on the email systems.
http://resources.infosecinstitute.com/panamapapershowhackersbreachedthemossackfonsecafirm/
8/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
Want to learn more? The InfoSec Institute Ethical Hacking course goes in-depth into
the techniques used by malicious, black hat hackers with attention getting lectures
and hands-on lab exercises. You leave with the ability to quantitatively assess and
measure threats to information assets; and discover where your organization is most
vulnerable to black hat hackers. Some features of this course include:
Dual Certication - CEH and CPT
5 days of Intensive Hands-On Labs
CTF exercises in the evening
FIRST NAME
COMPANY
LAST NAME
PHONE
JOB TITLE
FUNDING REIMBURSEMENT
The experts highlighted that the rm did not enforce the principle of least
privilege for the hacked systems, allowing the WordPress plugin email accounts
to have the access to resources that they dont need.
The experts at WordFence also explained how hackers probably gained access to
corporate client documents by accessing the web portal a
thttps://portal.mossfon.com/,
http://resources.infosecinstitute.com/panamapapershowhackersbreachedthemossackfonsecafirm/
9/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
10/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
</iframe>
Now we have a clear idea of possible hacking techniques adopted by hackers in
the Mossack Fonseca breach, anyway, it is quite impossible to understand who is
behind the attack.
The attackers appear politically motivated; they operated with the specic intent
to disclose secret information, likely to destabilize political context in various
countries.
Unfortunately, the cyber security posture of the company failed in protecting the
precious information highlighting the importance of security when dealing with
condential information.
References
http://panamapapers.sueddeutsche.de/en/
http://securityaffairs.co/wordpress/45998/data-breach/panama-papers.html
http://www.elespanol.com/espana/20160403/114488656_0.html
http://securityaffairs.co/wordpress/46216/breaking-news/panama-leaks.html
http://www.techeconomy.it/2016/04/11/panama-papers-ecco-come-statihackerati-dati/
http://www.theregister.co.uk/2016/04/11/hackers_pwn_mossack_fonseca/
http://www.forbes.com/forbes/welcome/#13fbd7c71df5
https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-emailconnection/
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerableslider-revolution/
Tweet
3
Share
103
Share
1
reddit
318
Like
http://resources.infosecinstitute.com/panamapapershowhackersbreachedthemossackfonsecafirm/
11/16
4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
Pierluigi
Paganini
Phishing Simulator
http://resources.infosecinstitute.com/panamapapershowhackersbreachedthemossackfonsecafirm/
12/16