Upload
gong688665
View
216
Download
0
Embed Size (px)
Citation preview
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
1/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 1/16
What's this?
Access Control
Application Data Security
Panama Papers – How Hackers
Breached the Mossack Fonseca
Firm SHARE
Ethical
Hacking BootCampOUR MOST POPULAR COURSE!
CLICK HERE!
RETURN HOME TOPICS
HACKING
IT
CERTIFICATIONS
FORENSICS
SECURE
CODING
PENETRATION
TESTING
GENERAL
SECURITY
CLOUD
COMPUTING
INTERVIEWS
VIRTUALIZATION
SECURITY
WIRELESS
SECURITY
SCADA / ICS
SECURITY
REVERSE
ENGINEERING
DATA
RECOVERY
EXPLOIT
CONTRIBUTORS ARCHIVE
2015
2014
2013
2012
2011
2010
ARCHIVE
JOB BOARD CAREERS SECURITYIQ PHISHING SIMULATOR
http://resources.infosecinstitute.com/category/general-security-2/http://resources.infosecinstitute.com/category/general-security-2/https://securityiq.infosecinstitute.com/http://resources.infosecinstitute.com/2015http://resources.infosecinstitute.com/category/reverse-engineering-2/http://resources.infosecinstitute.com/category/reverse-engineering-2/http://resources.infosecinstitute.com/category/scada-2/http://resources.infosecinstitute.com/category/scada-2/http://resources.infosecinstitute.com/category/wireless-security/http://resources.infosecinstitute.com/category/virtualization-security/http://resources.infosecinstitute.com/category/virtualization-security/http://resources.infosecinstitute.com/category/interviews/http://resources.infosecinstitute.com/category/cloud-computing/http://resources.infosecinstitute.com/category/general-security-2/http://resources.infosecinstitute.com/category/general-security-2/http://resources.infosecinstitute.com/category/pen-testing-1/http://resources.infosecinstitute.com/category/application-security-2/http://resources.infosecinstitute.com/category/application-security-2/http://resources.infosecinstitute.com/category/forensics-2/http://resources.infosecinstitute.com/category/certifications-training/http://resources.infosecinstitute.com/job-titles/https://securityiq.infosecinstitute.com/http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/http://resources.infosecinstitute.com/contributors/http://resources.infosecinstitute.com/category/reverse-engineering-2/http://www2.infosecinstitute.com/l/12882/2015-05-05/mxr5thttp://resources.infosecinstitute.com/category/reverse-engineering-2/http://-/?-https://securityiq.infosecinstitute.com/http://resources.infosecinstitute.com/job-titles/http://resources.infosecinstitute.com/careers/http://resources.infosecinstitute.com/2015http://resources.infosecinstitute.com/2010http://resources.infosecinstitute.com/2011http://resources.infosecinstitute.com/2012http://resources.infosecinstitute.com/2013/http://resources.infosecinstitute.com/2014/http://resources.infosecinstitute.com/2015/http://resources.infosecinstitute.com/contributors/http://resources.infosecinstitute.com/category/exploit-development/http://resources.infosecinstitute.com/category/data-recovery/http://resources.infosecinstitute.com/category/reverse-engineering-2/http://resources.infosecinstitute.com/category/scada-2/http://resources.infosecinstitute.com/category/wireless-security/http://resources.infosecinstitute.com/category/virtualization-security/http://resources.infosecinstitute.com/category/interviews/http://resources.infosecinstitute.com/category/cloud-computing/http://resources.infosecinstitute.com/category/general-security-2/http://resources.infosecinstitute.com/category/pen-testing-1/http://resources.infosecinstitute.com/category/application-security-2/http://resources.infosecinstitute.com/category/forensics-2/http://resources.infosecinstitute.com/category/certifications-training/http://resources.infosecinstitute.com/category/hacking-2/http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/http://infosec.wpengine.com/http://resources.infosecinstitute.com/http://www2.infosecinstitute.com/l/12882/2015-05-05/mxr5thttp://resources.infosecinstitute.com/category/hacking-2https://www.skillset.com/skillsets/application-data-and-host-securityhttps://www.skillset.com/skillsets/access-control
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
2/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 2/16
Security Models Security Policies
Vulnerabilities
Introduction
The Panama Papers are a huge trove of high confidential documents stolen
from the computer systems of the Panamanian law firm Mossack Fonseca that
was leaked online during recently.
It is considered the largest data leaks ever, the entire archive contains more than
11.5 Million files including 2.6 Terabytes of data related the activities of offshoreshell companies used by the most powerful people around the world, including
72 current and former heads of state.
Figure 1 – Data Leaked (Source: Süddeutsche Zeitung)
To better scale the dimension of the data leaks, let’s compare the dimension of
the stolen data to the size of archives disclosed after other incidents occurred in
the past.
DEVELOPMENT
MANAGEMENT,
COMPLIANCE, &
AUDITING
INCIDENT
RESPONSE
IT
CERTIFICATIONS
SECURITY+
SECURITY
AWARENESS
PHISHING
http://resources.infosecinstitute.com/category/phishing/http://resources.infosecinstitute.com/category/security-awareness/http://resources.infosecinstitute.com/category/certifications-training/securityplus/http://resources.infosecinstitute.com/category/certifications-training/http://resources.infosecinstitute.com/category/incident-response-resources/http://resources.infosecinstitute.com/category/compliance-auditing/http://resources.infosecinstitute.com/category/exploit-development/http://panamapapers.sueddeutsche.de/en/https://www.skillset.com/skillsets/threats-and-vulnerabilitieshttps://www.skillset.com/skills/information-security-policyhttps://www.skillset.com/skills/security-models
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
3/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 3/16
Figure 2 – Panama Papers – Scale of the data leak (WEF)
Despite the great clamor on the case, most of the clients of the Mossack Fonseca
weren’t breaking any law because the services offered by the firm are legal. The
problem is that the service offered by the Panamanian firm could be abused by
a part of its client to evade taxes and launder money.
Mossack Fonseca states it conforms to anti-money-laundering, it states it could
not be condemned for failings by intermediate that consist of financial
institutions, legislation companies and also accounting professionals.
Mossack Fonseca is the globe’s fourth greatest company of overseas solutions.
Even more compared to fifty percent of the firms are signed up in British-
administered tax obligation places, as well as in the UK itself.
The Panama Papers case is exposing the offshore activities of hundreds of
politicians and public figures around the world, including Vladimir Putin and
the Iceland’s Prime Minister David Gunnlaugsson.
At the time I was writing, despite the Vladimir Putin’s name does not appear in
the leaked documents, $2 Billion route leads right to Vladimir Putin. The Russian
head of state’s buddy, Sergei Roldugin, is the link between the Russian leader
and the financial operations managed by the Panamanian firm.
The leaked documents also revealed the existence of an overseas mutual fund
run by the dad of the British head of state David Cameron that allowed him to
avoid paying tax obligation in Britain by employing a little military of Bahamascitizens to authorize its documents.
Amongst national leaders with overseas wide range are Nawaz Sharif, Pakistan’s
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
4/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 4/16
head of state; Ayad Allawi, ex-interim head of state as well as previous vice-
president of Iraq; Petro Poroshenko, head of state of Ukraine; Alaa Mubarak, child
of Egypt’s previous head of state; as well as the head of state of Iceland,
Sigmundur Davíð Gunnlaugsson.
Figure 3 – Panama Papers
Bloomberg first confirmed the authenticity of the leaked archive, citing the
declaration of Ramon Fonseca, the co-founder of the Mossack Fonseca firm.
The Panama Papers documents were shared with the German newspaper
Suddeutsche Zeitung by an anonymous source and the International
Consortium of Investigative Journalists (ICIJ) that includes the Guardian as well
as the BBC.
The journalists of the ICIJ have analyzed the documents in the huge archive for
an entire year and now are sharing their findings.
The Panama Papers archive includes emails, bank records, and invoices
belonging to the clients of the Mossack Fonseca firm.
Who is the anonymous source and how did it exfiltrate the data from the
computers of the company?
According to Ramon Fonseca, the confidential documents had been obtained
illegally by hackers; likely the data breach affected an e-mail server of the
company last year.
The media agency El Espanol confirmed this hypothesis; Mossack Fonseca firm
sent an email to its clients announcing that it was investigating the causes of the
data breach and that it’s taking “all necessary steps to prevent it happening
again.”
“This firm, considered the largest platform figureheads of Latin America and has
http://www.bloomberg.com/news/articles/2016-04-03/german-paper-claim-huge-trove-of-data-on-offshore-accounts
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
5/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 5/16
a large portfolio of Spanish customers, said in a statement that it has opened an
investigation after confirming that “unfortunately” has suffered an “attack on your
server email.”” reported the El Espanol.
“Mossack Fonseca says it is taking “all necessary steps to prevent it happening
again”; which has “reinforced” its security systems; and is working with “expert
consultants” to determine the exact information they have accessed
“unauthorized persons”. The firm, through its Director of Marketing and Sales,
apologizes to its customers and offers an email to clarify any further questions.”
The ICIJ has identified more than 214,000 organizations for a total turnover of
several billion dollars.
Who and how Hacked the MossackFonseca firm?
Let’s start trying to understand how hackers breached the firm. After the attack,
security experts started testing the systems of the company trying to discover
the presence of alleged flaws exploitable by attackers.
How is it possible that a company that keeps secrets of thousands of the world’s
leading organizations and men have been hacked in the so simple way?
The tests conducted by security researchers revealed the existence of flaws in the
systems the company exposed on the Internet.
One of the first assumptions made about the alleged hack is that the hackers
exploited a flaw in a plugin called Revolution Slider used by the WordPress-
based website used by the company.
Sources on the Internet state that Mossack Fonseca has been compromised by
hackers that run a SQL Injection attack on one of its sub-domains used for
payments.
http://www.elespanol.com/espana/20160403/114488656_0.html
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
6/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 6/16
Figure 4 – Mossack Fonseca’s Domain alleged breached by hackers
An unknown researcher that used the Twitter account @1×0123 claimed to have
found a SQL injection flaw on one of the corporate systems belonging to thePanamanian lawyers Mossack Fonseca firm.
“They updated the new payment CMS, but forgot to lock the directory /onion/,”
he said via the “1×0123” Twitter profile.
In the past, the same hacker has discovered many other security issues in the
systems of major media outlets, including the LA Times and New York Times. He
also offered for sale the access to insecure systems at NASA.
@1×0123 also contacted Edward Snowden, notifying him of some bugs on one of
his projects. Snowden acknowledged the bug report on the Freedom of the
Press Foundation website.
https://twitter.com/1x0123/status/718760771887489024
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
7/12
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
8/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 8/16
The WP SMTP plugin stores email server address and login information in plain
text in the WordPress database.
Once the attacker had access to WordPress database credentials in the wp-
config.php file, he was able to access the mail server.
The ALO EasyMail Newsletter plugin offers list management functionalities and
needs access to read emails from the email server. Also, in this case, the plugin
stores email server login information in the WordPress database in plain text.
“Once the attacker also had access to this data, after gaining access to the
WordPress database via Revolution Slider, they would have been able to sign-
into the email server and would be able to read emails via POP or IMAP.”
Reported Wordfence.
Summarizing, it is likely that an attacker gained access to the WordPress website
by exploiting a known vulnerability in the Revolution Slider; then he accessed
the database where were stored information on the email systems.
ETHICAL HACKING TRAINING – RESOURCES (INFOSEC)
https://wordpress.org/plugins/alo-easymail/https://wordpress.org/plugins/wp-smtp/
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
9/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 9/16
Want to learn more? The InfoSec Institute Ethical Hacking course goes in-depth into
the techniques used by malicious, black hat hackers with attention getting lectures
and hands-on lab exercises. You leave with the ability to quantitatively assess and
measure threats to information assets; and discover where your organization is most
vulnerable to black hat hackers. Some features of this course include:
Dual Certification - CEH and CPT
5 days of Intensive Hands-On Labs
CTF exercises in the evening
FIRST NAME * LAST NAME *
COMPANY EMAIL *
PHONE * JOB TITLE *
WHO WILL FUND YOUR TRAINING?
* WHAT IS YOUR CAREER LEVEL?
*
FUNDING REIMBURSEMENT
FIND PRICING FOR THIS COURSE
The experts highlighted that the firm did not enforce the principle of least
privilege for the hacked systems, allowing the WordPress plugin email accounts
to have the access to resources that they don’t need.
The experts at WordFence also explained how hackers probably gained access to
corporate client documents by accessing the web portal a
thttps://portal.mossfon.com/ ,
https://portal.mossfon.com/http://www.iacertification.org/cpt_certified_penetration_tester.htmlhttp://www2.infosecinstitute.com/l/12882/2013-05-28/6g66w
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
10/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 10/16
Figure 6 – Mossack and Fonseca web portal
Unfortunately, the portal was running an unpatched Drupal version, the 7.23,
that was affected by dozen vulnerabilities.
The experts at WordFence were also able to access the changelog.txt file on the
web portal that confirms the firm’s website was running a flawed version of
Drupal.
Figure 7 – Drupal 7.23 Changelog.txt
Once the attacker is compromised “the client login permissions system,” he
could access any information stored on the portal.
Embed this video
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
11/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
http://resources.infosecinstitute.com/panama-papers-how-hackers-breached-the-mossack-fonseca-firm/ 11/16
Now we have a clear idea of possible hacking techniques adopted by hackers in
the Mossack Fonseca breach, anyway, it is quite impossible to understand who is
behind the attack.
The attackers appear politically motivated; they operated with the specific intent
to disclose secret information, likely to destabilize political context in various
countries.
Unfortunately, the cyber security posture of the company failed in protecting the
precious information highlighting the importance of security when dealing with
confidential information.
References
http://panamapapers.sueddeutsche.de/en/
http://securityaffairs.co/wordpress/45998/data-breach/panama-papers.html
http://www.elespanol.com/espana/20160403/114488656_0.html
http://securityaffairs.co/wordpress/46216/breaking-news/panama-leaks.html
http://www.techeconomy.it/2016/04/11/panama-papers-ecco-come-stati-
hackerati-dati/
http://www.theregister.co.uk/2016/04/11/hackers_pwn_mossack_fonseca/
http://www.forbes.com/forbes/welcome/#13fbd7c71df5
https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-
connection/
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-
slider-revolution/
Tweet 3
Share
1
103
Share
318
Like
http://www.reddit.com/r/worldnews/comments/4fp5ze/panama_papers_how_hackers_breached_the_mossack/http://www.reddit.com/r/worldnews/comments/4fp5ze/panama_papers_how_hackers_breached_the_mossack/http://www.reddit.com/r/worldnews/comments/4fp5ze/panama_papers_how_hackers_breached_the_mossack/http://www.reddit.com/r/worldnews/comments/4fp5ze/panama_papers_how_hackers_breached_the_mossack/https://twitter.com/intent/tweet?hashtags=infosec&original_referer=http%3A%2F%2Fresources.infosecinstitute.com%2Fpanama-papers-how-hackers-breached-the-mossack-fonseca-firm%2F&ref_src=twsrc%5Etfw&related=infosecedu&text=Panama%20Papers%20%E2%80%93%20How%20Hackers%20Breached%20the%20Mossack%20Fonseca%20Firm&tw_p=tweetbutton&url=http%3A%2F%2Fresources.infosecinstitute.com%2Fpanama-papers-how-hackers-breached-the-mossack-fonseca-firm%2F&via=InfosecEduhttps://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/http://www.forbes.com/forbes/welcome/http://www.theregister.co.uk/2016/04/11/hackers_pwn_mossack_fonseca/http://www.techeconomy.it/2016/04/11/panama-papers-ecco-come-stati-hackerati-dati/http://securityaffairs.co/wordpress/46216/breaking-news/panama-leaks.htmlhttp://www.elespanol.com/espana/20160403/114488656_0.htmlhttp://securityaffairs.co/wordpress/45998/data-breach/panama-papers.htmlhttp://panamapapers.sueddeutsche.de/en/
8/18/2019 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
12/12
4/22/2016 Panama Papers - How Hackers Breached the Mossack Fonseca Firm - InfoSec Resources
AUTHOR
PierluigiPaganini
Pierluigi Paganini is Chief Information Security
Officer at Bit4Id, firm leader in identity
management, member of the ENISA (European
Union Agency for Network and Information
Security)Treat Landscape Stakeholder Group, he is
also a Security Evangelist, Security Analyst and
Freelance Writer. Editor-in-Chief at Cyber Defense
magazine, Pierluigi is a cyber security expert with
over 20 years experience in the field, he is Certified
Ethical Hacker at EC Council in London. The passion
for writing and a strong belief that security is
founded on sharing and awareness led Pierluigi to
create the blog "Security Affairs," recently named a
Top National Security Resource for US. Pierluigi is a
member of the The Hacker News team and he is a
writer for some major publications in the field such
as Cyber War Zone, ICTTF, Infosec Island, Infosec
Institute, The Hacker News magazine and for many
other security magazines. He is the author of the
books The Deep Dark Web and Digital Virtual
Currency and Bitcoin.
FREE PRACTICE EXAMS
CCNA Practice Exam
Network + Practice Exam
PMP Practice Exam
Security+ Practice Exam
CEH Practice Exam
CISSP Practice Exam
FREE TRAINING TOOLS
Phishing Simulator
http://securityiq.infosecinstitute.com/?resources-sidebarhttps://www.skillset.com/certifications/cissphttps://www.skillset.com/certifications/cehhttps://www.skillset.com/certifications/securityplushttps://www.skillset.com/certifications/pmphttps://www.skillset.com/certifications/comptia-networkplushttps://www.skillset.com/certifications/ccnahttp://resources.infosecinstitute.com/author/pierluigi-paganini