Panama Papers - How Hackers Breached The Mossack Fonseca Firm - InfoSec Resources

4/22/2016
PanamaPapersHowHackersBreachedtheMossackFonsecaFirmInfoSecResources
RETURN HOME
JOB BOARD
TOPICS
CAREERS
HACKING
CONTRIBUTORS
ARCHIVE
ARCHIVE
SECURITYIQ PHISHING SIMULATOR

2015
IT
2014
CERTIFICATIONS
2013
FORENSICS
2012
SECURE
2011
CODING
2010
PENETRATION
TESTING
GENERAL
Panama Papers How Hackers

Breached the Mossack Fonseca
Firm
SECURITY
CLOUD
COMPUTING
POSTED IN HACKING
ON APRIL 20, 2016
INTERVIEWS
VIRTUALIZATION
SECURITY
WIRELESS
SECURITY
SCADA / ICS
SHARE
Ethical
Hacking Boot
Camp
OUR MOST POPULAR COURSE!
SECURITY
CLICK HERE!
REVERSE
ENGINEERING
What's this?
DATA
RECOVERY
EXPLOIT
Access Control
Application Data Security
http://resources.infosecinstitute.com/panamapapershowhackersbreachedthemossackfonsecafirm/
1/16
4/22/2016
DEVELOPMENT
MANAGEMENT,
Security Models
Security Policies
Vulnerabilities
COMPLIANCE, &
AUDITING
Introduction
INCIDENT
RESPONSE
The Panama Papersare ahuge trove of high condential documents stolen

from the computer
IT systems of the Panamanian law rm Mossack Fonseca that
was leaked online during recently.
CERTIFICATIONS
It is considered the largest data leaks ever, the entire archive contains more than
SECURITY+
11.5 Million les including 2.6 Terabytes of data related the activities of offshore
shell companies SECURITY
used by the most powerful people around the world, including
72 current and former heads of state.
AWARENESS
PHISHING
Figure 1 Data Leaked (Source: Sddeutsche Zeitung)

To better scale the dimension of the data leaks, lets compare the dimension of
the stolen data to the size of archives disclosed after other incidents occurred in
the past.
2/16
4/22/2016
Figure 2 Panama Papers Scale of the data leak (WEF)

Despite the great clamor on the case, most of the clients of the Mossack Fonseca
werent breaking any law because the services offered by the rm are legal. The
problem is that the service offered by the Panamanian rm could be abused by
a part of its client to evade taxes and launder money.
Mossack Fonseca states it conforms to anti-money-laundering, it states it could
not be condemned for failings by intermediate that consist of nancial
institutions, legislation companies and also accounting professionals.
Mossack Fonseca is the globes fourth greatest company of overseas solutions.
Even more compared to fty percent of the rms are signed up in Britishadministered tax obligation places, as well as in the UK itself.
The Panama Papers case is exposing the offshore activities of hundreds of
politicians and public gures around the world, including Vladimir Putinand
theIcelands Prime Minister David Gunnlaugsson.
At the time I was writing, despite the Vladimir Putins name does not appear in
the leaked documents, $2 Billion route leads right to Vladimir Putin. The Russian
head of states buddy, Sergei Roldugin, is the link between the Russian leader
and the nancial operations managed by the Panamanian rm.
The leaked documents also revealed the existence of an overseas mutual fund
run by the dad of the British head of state David Cameron that allowed him to
avoid paying tax obligation in Britain by employing a little military of Bahamas
citizens to authorize its documents.
Amongst national leaders with overseas wide range are Nawaz Sharif, Pakistans
3/16
4/22/2016
head of state; Ayad Allawi, ex-interim head of state as well as previous vicepresident of Iraq; Petro Poroshenko, head of state of Ukraine; Alaa Mubarak, child
of Egypts previous head of state; as well as the head of state of Iceland,
Sigmundur Dav Gunnlaugsson.
Figure 3 Panama Papers

Bloomberg rst conrmedthe authenticity of the leaked archive, citing the
declaration of Ramon Fonseca, the co-founder of the Mossack Fonseca rm.
The Panama Papers documents were shared with the German newspaper
Suddeutsche Zeitungby an anonymous source and the International
Consortium of Investigative Journalists (ICIJ) that includes the Guardian as well
as the BBC.
The journalists of the ICIJ have analyzed the documents in the huge archive for
an entire year and now are sharing their ndings.
The Panama Papers archive includes emails, bank records, and invoices
belonging to the clients of the Mossack Fonseca rm.
Who is the anonymous source and how did it exltrate the data from the
computers of the company?
According toRamon Fonseca, the condential documents had been obtained
illegally by hackers; likelythe data breach affected an e-mail server of the
company last year.
The media agency El Espanol conrmed this hypothesis; Mossack Fonseca rm
sent an email to its clients announcing that it was investigating the causes of the
data breach and that its taking all necessary steps to prevent it happening
again.
This rm, considered the largest platform gureheads of Latin America and has
4/16
4/22/2016
a large portfolio of Spanish customers, said in a statement that it has opened an

investigation after conrming that unfortunately has suffered an attack on your
server email.reportedtheEl Espanol.
Mossack Fonseca says it is taking all necessary steps to prevent it happening
again; which has reinforced its security systems; and is working with expert
consultants to determine the exact information they have accessed
unauthorized persons. The rm, through its Director of Marketing and Sales,
apologizes to its customers and offers an email to clarify any further questions.
The ICIJ has identied more than 214,000 organizations for a total turnover of
severalbilliondollars.
Who and how Hacked the Mossack

Fonseca rm?
Lets start trying to understand how hackers breached the rm. After the attack,
security experts started testing the systems of the company trying to discover
the presence of alleged aws exploitable by attackers.
How is it possible that a company that keeps secrets of thousands of the worlds
leading organizations and men have been hacked in the so simple way?
The tests conducted by security researchers revealed the existence of aws in the
systems the company exposed on the Internet.
One of the rst assumptions made about the alleged hack is that the hackers
exploited a aw in a plugin called Revolution Slider used by the WordPressbased website used by the company.
Sources on the Internet state that Mossack Fonseca has been compromised by
hackers that run a SQL Injection attack on one of its sub-domains used for
payments.
5/16
4/22/2016
Figure 4 Mossack Fonsecas Domain alleged breached by hackers

An unknown researcher that used the Twitter account @10123 claimed to have
found a SQL injection aw on one of the corporate systems belonging to the
Panamanian lawyers Mossack Fonseca rm.
They updated the new payment CMS, but forgot to lock the directory /onion/,
hesaidvia the 10123 Twitter prole.
In the past, the same hacker has discovered many other security issues in the
systems of major media outlets, including the LA Times and New York Times. He
also offered for sale the access to insecure systems at NASA.
@10123 also contacted Edward Snowden, notifying him of some bugs on one of
his projects. Snowden acknowledged the bug report on the Freedom of the
Press Foundation website.
6/16
4/22/2016
Figure 5 @10123 claims to have discovered a SQL Injection in the

MossackFonseca Systems
Giving a close look at the image shared by the hacker, it seems that system is
based on an Oracle database. Of course, it is not possible to be sure if this is the
aw exploited by hackers. Anyway, the presence of similar bugs is worrying if we
consider the secret information contained in the database of the Panamanian
rm.
Experts at WordFence security rm also provided an interesting analysis of the
incident, describinghow the hackers may have violated the email servers of the
company via the WordPress Revolution Slider plug-in.
They also explained how attackers likely accessed the documents of the Mossack
Fonseca rm exploiting the vulnerabilities affecting an outdated version of the
Drupal CMS.
The hack of the email server, conrmed by the rm in an email sent to its
customers, occurred by exploiting a vulnerability in theversion of Revolution
Slider that the company was running.
Once the attacker gained access to the WordPress website, he was able to view
the contents of wp-cong.php which contains the database credentials for the
WordPress instance, and these credentials are in clear text.
The attacker would have used the credentials to access the database.
Experts at WordFence discovered that the www.mossfon.com is running two
plugins in addition to Revolution slider, the WP SMTP plugin and the ALO
EasyMail Newsletter plugin.
7/16
4/22/2016
The WP SMTP plugin stores email server address and login information in plain
text in the WordPress database.
Once the attacker had access to WordPress database credentials in the wpcong.php le, he was able to access the mail server.
TheALO EasyMail Newsletter pluginoffers list management functionalities and
needs access to read emails from the email server. Also, in this case, the plugin
stores email server login information in the WordPress database in plain text.
Once the attacker also had access to this data, after gaining access to the
WordPress database via Revolution Slider, they would have been able to signinto the email server and would be able to read emails via POP or IMAP.
Reported Wordfence.
Summarizing, it is likelythat an attacker gained access to the WordPress website
by exploiting a known vulnerability in the Revolution Slider; then he accessed
the database where were stored information on the email systems.
ETHICAL HACKING TRAINING RESOURCES (INFOSEC)
8/16
4/22/2016
Want to learn more? The InfoSec Institute Ethical Hacking course goes in-depth into
the techniques used by malicious, black hat hackers with attention getting lectures
and hands-on lab exercises. You leave with the ability to quantitatively assess and
measure threats to information assets; and discover where your organization is most
vulnerable to black hat hackers. Some features of this course include:
Dual Certication - CEH and CPT
5 days of Intensive Hands-On Labs
CTF exercises in the evening
FIRST NAME
COMPANY
LAST NAME
EMAIL
PHONE
JOB TITLE
WHO WILL FUND YOUR TRAINING?
WHAT IS YOUR CAREER LEVEL?
FUNDING REIMBURSEMENT
FIND PRICING FOR THIS COURSE
The experts highlighted that the rm did not enforce the principle of least
privilege for the hacked systems, allowing the WordPress plugin email accounts
to have the access to resources that they dont need.
The experts at WordFence also explained how hackers probably gained access to
corporate client documents by accessing the web portal a
thttps://portal.mossfon.com/,
9/16
4/22/2016
Figure 6 Mossack and Fonseca web portal

Unfortunately, the portal was running an unpatched Drupal version, the 7.23,
that was affected by dozen vulnerabilities.
The experts at WordFence were also able to access the changelog.txt le on the
web portal that conrms the rms website was running a awed version of
Drupal.
Figure 7 Drupal 7.23 Changelog.txt

Once the attacker is compromised the client login permissions system, he
could access any information stored on the portal.
Embed this video
<iframe src=https://player.vimeo.com/video/161966079 width=640 height=360
frameborder=0 webkitallowfullscreen mozallowfullscreen allowfullscreen>
10/16
4/22/2016
</iframe>
Now we have a clear idea of possible hacking techniques adopted by hackers in
the Mossack Fonseca breach, anyway, it is quite impossible to understand who is
behind the attack.
The attackers appear politically motivated; they operated with the specic intent
to disclose secret information, likely to destabilize political context in various
countries.
Unfortunately, the cyber security posture of the company failed in protecting the
precious information highlighting the importance of security when dealing with
condential information.
References
http://panamapapers.sueddeutsche.de/en/
http://securityaffairs.co/wordpress/45998/data-breach/panama-papers.html
http://www.elespanol.com/espana/20160403/114488656_0.html
http://securityaffairs.co/wordpress/46216/breaking-news/panama-leaks.html
http://www.techeconomy.it/2016/04/11/panama-papers-ecco-come-statihackerati-dati/
http://www.theregister.co.uk/2016/04/11/hackers_pwn_mossack_fonseca/
http://www.forbes.com/forbes/welcome/#13fbd7c71df5
https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-emailconnection/
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerableslider-revolution/
Tweet
3
Share
103
Share
1
reddit
318
Like
11/16
4/22/2016
Pierluigi Paganini is Chief Information Security

Ofcer at Bit4Id, rm leader in identity
management, member of the ENISA (European
Union Agency for Network and Information
Security)Treat Landscape Stakeholder Group, he is
also a Security Evangelist, Security Analyst and
Freelance Writer. Editor-in-Chief at Cyber Defense
magazine, Pierluigi is a cyber security expert with
over 20 years experience in the eld, he is Certied
AUTHOR
Pierluigi
Paganini
Ethical Hacker at EC Council in London. The passion

for writing and a strong belief that security is
founded on sharing and awareness led Pierluigi to
create the blog "Security Affairs," recently named a
Top National Security Resource for US. Pierluigi is a
member of the The Hacker News team and he is a
writer for some major publications in the eld such
as Cyber War Zone, ICTTF, Infosec Island, Infosec
Institute, The Hacker News magazine and for many
other security magazines. He is the author of the
books The Deep Dark Web and Digital Virtual
Currency and Bitcoin.
FREE PRACTICE EXAMS
CCNA Practice Exam

Network + Practice Exam
PMP Practice Exam
Security+ Practice Exam
CEH Practice Exam
CISSP Practice Exam
FREE TRAINING TOOLS
Phishing Simulator
12/16

Panama Papers - How Hackers Breached The Mossack Fonseca Firm - InfoSec Resources

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Panama Papers - How Hackers Breached The Mossack Fonseca Firm - InfoSec Resources

Uploaded by

Copyright:

Available Formats

4/22/2016

SECURITYIQ PHISHING SIMULATOR

Panama Papers How Hackers

The Panama Papersare ahuge trove of high condential documents stolen

Figure 1 Data Leaked (Source: Sddeutsche Zeitung)

Figure 2 Panama Papers Scale of the data leak (WEF)

Figure 3 Panama Papers

a large portfolio of Spanish customers, said in a statement that it has opened an

Who and how Hacked the Mossack

Figure 4 Mossack Fonsecas Domain alleged breached by hackers

Figure 5 @10123 claims to have discovered a SQL Injection in the

ETHICAL HACKING TRAINING RESOURCES (INFOSEC)

WHO WILL FUND YOUR TRAINING?

WHAT IS YOUR CAREER LEVEL?

FIND PRICING FOR THIS COURSE

Figure 6 Mossack and Fonseca web portal

Figure 7 Drupal 7.23 Changelog.txt

Pierluigi Paganini is Chief Information Security

Ethical Hacker at EC Council in London. The passion

FREE PRACTICE EXAMS

CCNA Practice Exam

FREE TRAINING TOOLS

You might also like