Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources

8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources

1/12


http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 1/16

What's this?

Access Control

Application Data Security

Panama Papers – How Hackers

Breached the Mossack Fonseca

Firm SHARE

Ethical

Hacking BootCampOUR MOST POPULAR COURSE!

CLICK HERE!

RETURN HOME TOPICS

HACKING

IT

CERTIFICATIONS

FORENSICS

SECURE

CODING

PENETRATION

TESTING

GENERAL

SECURITY

CLOUD

COMPUTING

INTERVIEWS

VIRTUALIZATION

SECURITY

WIRELESS

SECURITY

SCADA / ICS

SECURITY

REVERSE

ENGINEERING

DATA

RECOVERY

EXPLOIT

CONTRIBUTORS ARCHIVE

2015

2014

2013

2012

2011

2010

ARCHIVE

JOB BOARD CAREERS SECURITYIQ PHISHING SIMULATOR

http://resources.infosecinstitute.com/category/general-security-2/http://resources.infosecinstitute.com/category/general-security-2/https://securityiq.infosecinstitute.com/http://resources.infosecinstitute.com/2015http://resources.infosecinstitute.com/category/reverse-engineering-2/http://resources.infosecinstitute.com/category/reverse-engineering-2/http://resources.infosecinstitute.com/category/scada-2/http://resources.infosecinstitute.com/category/scada-2/http://resources.infosecinstitute.com/category/wireless-security/http://resources.infosecinstitute.com/category/virtualization-security/http://resources.infosecinstitute.com/category/virtualization-security/http://resources.infosecinstitute.com/category/interviews/http://resources.infosecinstitute.com/category/cloud-computing/http://resources.infosecinstitute.com/category/general-security-2/http://resources.infosecinstitute.com/category/general-security-2/http://resources.infosecinstitute.com/category/pen-testing-1/http://resources.infosecinstitute.com/category/application-security-2/http://resources.infosecinstitute.com/category/application-security-2/http://resources.infosecinstitute.com/category/forensics-2/http://resources.infosecinstitute.com/category/certifications-training/http://resources.infosecinstitute.com/job-titles/https://securityiq.infosecinstitute.com/http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/http://resources.infosecinstitute.com/contributors/http://resources.infosecinstitute.com/category/reverse-engineering-2/http://www2.infosecinstitute.com/l/12882/2015-05-05/mxr5thttp://resources.infosecinstitute.com/category/reverse-engineering-2/http://-/?-https://securityiq.infosecinstitute.com/http://resources.infosecinstitute.com/job-titles/http://resources.infosecinstitute.com/careers/http://resources.infosecinstitute.com/2015http://resources.infosecinstitute.com/2010http://resources.infosecinstitute.com/2011http://resources.infosecinstitute.com/2012http://resources.infosecinstitute.com/2013/http://resources.infosecinstitute.com/2014/http://resources.infosecinstitute.com/2015/http://resources.infosecinstitute.com/contributors/http://resources.infosecinstitute.com/category/exploit-development/http://resources.infosecinstitute.com/category/data-recovery/http://resources.infosecinstitute.com/category/reverse-engineering-2/http://resources.infosecinstitute.com/category/scada-2/http://resources.infosecinstitute.com/category/wireless-security/http://resources.infosecinstitute.com/category/virtualization-security/http://resources.infosecinstitute.com/category/interviews/http://resources.infosecinstitute.com/category/cloud-computing/http://resources.infosecinstitute.com/category/general-security-2/http://resources.infosecinstitute.com/category/pen-testing-1/http://resources.infosecinstitute.com/category/application-security-2/http://resources.infosecinstitute.com/category/forensics-2/http://resources.infosecinstitute.com/category/certifications-training/http://resources.infosecinstitute.com/category/hacking-2/http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/http://infosec.wpengine.com/http://resources.infosecinstitute.com/http://www2.infosecinstitute.com/l/12882/2015-05-05/mxr5thttp://resources.infosecinstitute.com/category/hacking-2https://www.skillset.com/skillsets/application-data-and-host-securityhttps://www.skillset.com/skillsets/access-control


2/12



Security Models Security Policies

Vulnerabilities

Introduction

The Panama Papers are a huge trove of high confidential documents stolen

from the computer systems of the Panamanian law firm Mossack Fonseca that

was leaked online during recently.

It is considered the largest data leaks ever, the entire archive contains more than

11.5 Million files including 2.6 Terabytes of data related the activities of offshoreshell companies used by the most powerful people around the world, including

72 current and former heads of state.

Figure 1 – Data Leaked (Source: Süddeutsche Zeitung)

To better scale the dimension of the data leaks, let’s compare the dimension of

the stolen data to the size of archives disclosed after other incidents occurred in

the past.

DEVELOPMENT

MANAGEMENT,

COMPLIANCE, &

AUDITING

INCIDENT

RESPONSE

IT

CERTIFICATIONS

SECURITY+

SECURITY

AWARENESS

PHISHING

http://resources.infosecinstitute.com/category/phishing/http://resources.infosecinstitute.com/category/security-awareness/http://resources.infosecinstitute.com/category/certifications-training/securityplus/http://resources.infosecinstitute.com/category/certifications-training/http://resources.infosecinstitute.com/category/incident-response-resources/http://resources.infosecinstitute.com/category/compliance-auditing/http://resources.infosecinstitute.com/category/exploit-development/http://panamapapers.sueddeutsche.de/en/https://www.skillset.com/skillsets/threats-and-vulnerabilitieshttps://www.skillset.com/skills/information-security-policyhttps://www.skillset.com/skills/security-models


3/12



Figure 2 – Panama Papers – Scale of the data leak (WEF)

Despite the great clamor on the case, most of the clients of the Mossack Fonseca

weren’t breaking any law because the services offered by the firm are legal. The

problem is that the service offered by the Panamanian firm could be abused by

a part of its client to evade taxes and launder money.

Mossack Fonseca states it conforms to anti-money-laundering, it states it could

not be condemned for failings by intermediate that consist of financial

institutions, legislation companies and also accounting professionals.

Mossack Fonseca is the globe’s fourth greatest company of overseas solutions.

Even more compared to fifty percent of the firms are signed up in British-

administered tax obligation places, as well as in the UK itself.

The Panama Papers case is exposing the offshore activities of hundreds of

politicians and public figures around the world, including Vladimir Putin and

the Iceland’s Prime Minister David Gunnlaugsson.

At the time I was writing, despite the Vladimir Putin’s name does not appear in

the leaked documents, $2 Billion route leads right to Vladimir Putin. The Russian

head of state’s buddy, Sergei Roldugin, is the link between the Russian leader

and the financial operations managed by the Panamanian firm.

The leaked documents also revealed the existence of an overseas mutual fund

run by the dad of the British head of state David Cameron that allowed him to

avoid paying tax obligation in Britain by employing a little military of Bahamascitizens to authorize its documents.

Amongst national leaders with overseas wide range are Nawaz Sharif, Pakistan’s


4/12



head of state; Ayad Allawi, ex-interim head of state as well as previous vice-

president of Iraq; Petro Poroshenko, head of state of Ukraine; Alaa Mubarak, child

of Egypt’s previous head of state; as well as the head of state of Iceland,

Sigmundur Davíð Gunnlaugsson.

Figure 3 – Panama Papers

Bloomberg first confirmed the authenticity of the leaked archive, citing the

declaration of Ramon Fonseca, the co-founder of the Mossack Fonseca firm.

The Panama Papers documents were shared with the German newspaper

Suddeutsche Zeitung by an anonymous source and the International

Consortium of Investigative Journalists (ICIJ) that includes the Guardian as well

as the BBC.

The journalists of the ICIJ have analyzed the documents in the huge archive for

an entire year and now are sharing their findings.

The Panama Papers archive includes emails, bank records, and invoices

belonging to the clients of the Mossack Fonseca firm.

Who is the anonymous source and how did it exfiltrate the data from the

computers of the company?

According to Ramon Fonseca, the confidential documents had been obtained

illegally by hackers; likely the data breach affected an e-mail server of the

company last year.

The media agency El Espanol confirmed this hypothesis; Mossack Fonseca firm

sent an email to its clients announcing that it was investigating the causes of the

data breach and that it’s taking “all necessary steps to prevent it happening

again.”

“This firm, considered the largest platform figureheads of Latin America and has

http://www.bloomberg.com/news/articles/2016-04-03/german-paper-claim-huge-trove-of-data-on-offshore-accounts


5/12



a large portfolio of Spanish customers, said in a statement that it has opened an

investigation after confirming that “unfortunately” has suffered an “attack on your

server email.”” reported the El Espanol.

“Mossack Fonseca says it is taking “all necessary steps to prevent it happening

again”; which has “reinforced” its security systems; and is working with “expert

consultants” to determine the exact information they have accessed

“unauthorized persons”. The firm, through its Director of Marketing and Sales,

apologizes to its customers and offers an email to clarify any further questions.”

The ICIJ has identified more than 214,000 organizations for a total turnover of

several billion dollars.

Who and how Hacked the MossackFonseca firm?

Let’s start trying to understand how hackers breached the firm. After the attack,

security experts started testing the systems of the company trying to discover

the presence of alleged flaws exploitable by attackers.

How is it possible that a company that keeps secrets of thousands of the world’s

leading organizations and men have been hacked in the so simple way?

The tests conducted by security researchers revealed the existence of flaws in the

systems the company exposed on the Internet.

One of the first assumptions made about the alleged hack is that the hackers

exploited a flaw in a plugin called Revolution Slider used by the WordPress-

based website used by the company.

Sources on the Internet state that Mossack Fonseca has been compromised by

hackers that run a SQL Injection attack on one of its sub-domains used for

payments.

http://www.elespanol.com/espana/20160403/114488656_0.html


6/12



Figure 4 – Mossack Fonseca’s Domain alleged breached by hackers

An unknown researcher that used the Twitter account @1×0123 claimed to have

found a SQL injection flaw on one of the corporate systems belonging to thePanamanian lawyers Mossack Fonseca firm.

“They updated the new payment CMS, but forgot to lock the directory /onion/,”

he said via the “1×0123” Twitter profile.

In the past, the same hacker has discovered many other security issues in the

systems of major media outlets, including the LA Times and New York Times. He

also offered for sale the access to insecure systems at NASA.

@1×0123 also contacted Edward Snowden, notifying him of some bugs on one of

his projects. Snowden acknowledged the bug report on the Freedom of the

Press Foundation website.

https://twitter.com/1x0123/status/718760771887489024


7/12


8/12



The WP SMTP plugin stores email server address and login information in plain

text in the WordPress database.

Once the attacker had access to WordPress database credentials in the wp-

config.php file, he was able to access the mail server.

The ALO EasyMail Newsletter plugin offers list management functionalities and

needs access to read emails from the email server. Also, in this case, the plugin

stores email server login information in the WordPress database in plain text.

“Once the attacker also had access to this data, after gaining access to the

WordPress database via Revolution Slider, they would have been able to sign-

into the email server and would be able to read emails via POP or IMAP.”

Reported Wordfence.

Summarizing, it is likely that an attacker gained access to the WordPress website

by exploiting a known vulnerability in the Revolution Slider; then he accessed

the database where were stored information on the email systems.

ETHICAL HACKING TRAINING – RESOURCES (INFOSEC)

https://wordpress.org/plugins/alo-easymail/https://wordpress.org/plugins/wp-smtp/


9/12



Want to learn more? The InfoSec Institute Ethical Hacking course goes in-depth into

the techniques used by malicious, black hat hackers with attention getting lectures

and hands-on lab exercises. You leave with the ability to quantitatively assess and

measure threats to information assets; and discover where your organization is most

vulnerable to black hat hackers. Some features of this course include:

Dual Certification - CEH and CPT

5 days of Intensive Hands-On Labs

CTF exercises in the evening

FIRST NAME * LAST NAME *

COMPANY EMAIL *

PHONE * JOB TITLE *

WHO WILL FUND YOUR TRAINING?

* WHAT IS YOUR CAREER LEVEL?

*

FUNDING REIMBURSEMENT

FIND PRICING FOR THIS COURSE

The experts highlighted that the firm did not enforce the principle of least

privilege for the hacked systems, allowing the WordPress plugin email accounts

to have the access to resources that they don’t need.

The experts at WordFence also explained how hackers probably gained access to

corporate client documents by accessing the web portal a

thttps://portal.mossfon.com/ ,

https://portal.mossfon.com/http://www.iacertification.org/cpt_certified_penetration_tester.htmlhttp://www2.infosecinstitute.com/l/12882/2013-05-28/6g66w


10/12



Figure 6 – Mossack and Fonseca web portal

Unfortunately, the portal was running an unpatched Drupal version, the 7.23,

that was affected by dozen vulnerabilities.

The experts at WordFence were also able to access the changelog.txt file on the

web portal that confirms the firm’s website was running a flawed version of

Drupal.

Figure 7 – Drupal 7.23 Changelog.txt

Once the attacker is compromised “the client login permissions system,” he

could access any information stored on the portal.

Embed this video


11/12



Now we have a clear idea of possible hacking techniques adopted by hackers in

the Mossack Fonseca breach, anyway, it is quite impossible to understand who is

behind the attack.

The attackers appear politically motivated; they operated with the specific intent

to disclose secret information, likely to destabilize political context in various

countries.

Unfortunately, the cyber security posture of the company failed in protecting the

precious information highlighting the importance of security when dealing with

confidential information.

References

http://panamapapers.sueddeutsche.de/en/

http://securityaffairs.co/wordpress/45998/data-breach/panama-papers.html

http://www.elespanol.com/espana/20160403/114488656_0.html

http://securityaffairs.co/wordpress/46216/breaking-news/panama-leaks.html

http://www.techeconomy.it/2016/04/11/panama-papers-ecco-come-stati-

hackerati-dati/

http://www.theregister.co.uk/2016/04/11/hackers_pwn_mossack_fonseca/

http://www.forbes.com/forbes/welcome/#13fbd7c71df5

https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-

connection/

https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-

slider-revolution/

Tweet 3

Share

reddit

1

103

Share

318

Like

http://www.reddit.com/r/worldnews/comments/4fp5ze/panama_papers_how_hackers_breached_the_mossack/http://www.reddit.com/r/worldnews/comments/4fp5ze/panama_papers_how_hackers_breached_the_mossack/http://www.reddit.com/r/worldnews/comments/4fp5ze/panama_papers_how_hackers_breached_the_mossack/http://www.reddit.com/r/worldnews/comments/4fp5ze/panama_papers_how_hackers_breached_the_mossack/https://twitter.com/intent/tweet?hashtags=infosec&original_referer=http%3A%2F%2Fresources.infosecinstitute.com%2Fpanama-papers-how-hackers-breached-the-mossack-fonseca-firm%2F&ref_src=twsrc%5Etfw&related=infosecedu&text=Panama%20Papers%20%E2%80%93%20How%20Hackers%20Breached%20the%20Mossack%20Fonseca%20Firm&tw_p=tweetbutton&url=http%3A%2F%2Fresources.infosecinstitute.com%2Fpanama-papers-how-hackers-breached-the-mossack-fonseca-firm%2F&via=InfosecEduhttps://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/http://www.forbes.com/forbes/welcome/http://www.theregister.co.uk/2016/04/11/hackers_pwn_mossack_fonseca/http://www.techeconomy.it/2016/04/11/panama-papers-ecco-come-stati-hackerati-dati/http://securityaffairs.co/wordpress/46216/breaking-news/panama-leaks.htmlhttp://www.elespanol.com/espana/20160403/114488656_0.htmlhttp://securityaffairs.co/wordpress/45998/data-breach/panama-papers.htmlhttp://panamapapers.sueddeutsche.de/en/


12/12


AUTHOR

PierluigiPaganini

Pierluigi Paganini is Chief Information Security

Officer at Bit4Id, firm leader in identity

management, member of the ENISA (European

Union Agency for Network and Information

Security)Treat Landscape Stakeholder Group, he is

also a Security Evangelist, Security Analyst and

Freelance Writer. Editor-in-Chief at Cyber Defense

magazine, Pierluigi is a cyber security expert with

over 20 years experience in the field, he is Certified

Ethical Hacker at EC Council in London. The passion

for writing and a strong belief that security is

founded on sharing and awareness led Pierluigi to

create the blog "Security Affairs," recently named a

Top National Security Resource for US. Pierluigi is a

member of the The Hacker News team and he is a

writer for some major publications in the field such

as Cyber War Zone, ICTTF, Infosec Island, Infosec

Institute, The Hacker News magazine and for many

other security magazines. He is the author of the

books The Deep Dark Web and Digital Virtual

Currency and Bitcoin.

FREE PRACTICE EXAMS

CCNA Practice Exam

Network + Practice Exam

PMP Practice Exam

Security+ Practice Exam

CEH Practice Exam

CISSP Practice Exam

FREE TRAINING TOOLS

Phishing Simulator
http://securityiq.infosecinstitute.com/?resources-sidebarhttps://www.skillset.com/certifications/cissphttps://www.skillset.com/certifications/cehhttps://www.skillset.com/certifications/securityplushttps://www.skillset.com/certifications/pmphttps://www.skillset.com/certifications/comptia-networkplushttps://www.skillset.com/certifications/ccnahttp://resources.infosecinstitute.com/author/pierluigi-paganini

Documents

Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources