8th April 2016
The Panama Papers – How Did it Happen?
The "Panama Papers" story has been all over newspapers and television this week. In short, 2.6 terabytes of data consisting of 11.5 million files were leaked from Panama-based law firm Mossack Fonseca. The papers reveal a system of hiding money in offshore accounts for what appears to be the sole purpose of paying less tax.
The fall out is ongoing, the most significant result so far is the resignation of the Icelandic Prime Minister. The interview where the allegations are put to him is well worth a watch. To put the leak into context against previous leaks, the Wikileaks Cablegate was 1.7GB, the adult “dating site” Ashley Madison leak was 30GB, Sony Pictures leak (allegedly linked with North Korea linked with the film “The Interview”) was 230GB.
So put all of those leaks together, multiply it by ten then you are close to the volume of the breach. What I’m interested in, and the purpose of this blog post is: how did it happen?
Though it had previously been suggested that a leak of this size must have been an inside job, Mossack Fonseca later confirmed that the
leak had been executed by hackers based abroad. Forbes magazine reports the leak was made via an out of date Drupal website.
When I first read this I was happy to leave it at that, a single website being out of date. Upon further digging, it doesn’t look like the leak was accessed as simply as that. This point has been brought up by the team at Wordfence, a plugin for WordPress. At Cargo, we are fans of the Wordfence plugin. They just wrote a blog post suggesting the leak could have been caused via a WordPress plugin which was out of date.
What we can determine is, the main Mossack Fonseca website (http://www.mossfon.com/) looks to run WordPress. The client portal (https://portal.mossfon.com/) looks to run Drupal. So far, both Forbes and Wordfence are correct.
On examination of the hosting history of mossfon.com (the main website: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fmossfon.com%2F) on 4th April 2016, a few days after the leak they moved hosting, this is incredibly suspect.
Its difficult to say exactly who is right and who is wrong in this instance. What is apparent, that they both could be right, both the main website and the client portal were running out of date content management systems, with out of date plugins with vulnerabilities which are easily discovered online.
The interesting part for me is the potential that the intrusion was indirect, by accessing the main customer website, not via the portal itself. As you can see, this leak illustrates the need for up to paying attention to new version releases and keeping your website and plugins up to date on all websites across all servers. You are only as strong as your weakest link.