25 Oct Panama Papers. How one of the largest security breaches in history was due to a missing WordPress plugin update
The Mossack Fonseca data breach, more commonly known as the Panama Papers breach, is one the largest and most damaging data breaches in history. It is still the largest data breach which resulted in data delivered to journalists to date. The “Panama Papers” involve 11.5 million documents, including 4.8 million emails and millions of other records. These records detail financial and attorney–client information for more than 214,488 offshore entities. The documents were taken from servers owned by Panamanian law firm and corporate service provider Mossack Fonseca. The documents span a time period from the 1970s through 2015.
Analysis of the documents revealed information that illustrates how wealthy individuals and public officials are able to keep personal financial information private. Reports were able to determine that some of the Mossack Fonseca shell corporations were used for illegal purposes, including fraud, kleptocracy, tax evasion, and evading international sanctions.
You can explore dozens of stories in the excellent online report at The International Consortium of Investigative Journalists panamapapers.icij.org , which shows who did what, and when.
In the winter of 2015, an anonymous individual or team gained access to the Mossack Fonseca data and then forwarded the documents to German journalist Bastian Obermayer at the newspaper Süddeutsche Zeitung. The large volume of data was impossible for Süddeutsche Zeitung to analyze alone, so they requested assistance from the International Consortium of Investigative Journalists (ICIJ). Journalists from 107 media organizations in 80 countries analyzed the massive number of documents which detailed the operations of the law firm. After more than a year of analysis, the first news stories were published on April 3, 2016, along with 150 of the original documents.
While offshore business entities are often not illegal, damaging information was revealed which had serious implications for some of those named in the reports. Most famously the information outlined the financial dealings of then British prime minister David Cameron and Icelandic prime minister Sigmundur Davíð Gunnlaugsson, and also named 12 current or former world leaders, 128 other public officials and politicians, and hundreds of other members of the elites of over 200 countries.
Although the contents of the reports consumed most of the media attention, for those with an interest in IT Security, the most important part of the investigation involved the mechanism through which the hackers were able to access the documents at Mossack Fonseca. After all, Mossack Fonseca is not a small operation. They operate 40 office worldwide and represent a significant fraction of the global shell company services industry. Their clients are some of the most powerful individuals and corporations on the planet. Mossack Fonseca had been investigated a number of times for money laundering and tax evasion prior to the breach. One would expect them to be very careful with their data, and very aware of threats to their data security. So, what went wrong? How could an outside agent gain access to such sensitive data?
On April 7, 2016, security software firm Wordfence announced that Mossack Fonseca was running WordPress with a vulnerable version of Revolution Slider on their production server and that their WordPress server was on the same network as their emails servers when the breach occurred. Wordfence provides security software and services to WordPress users. It would have been very simple for them to determine whether the vulnerable version of Revolution Slider was in use at the site, and DNS and IP addresses would have confirmed whether the WordPress server(s) and Email server(s) were on the same network.
The initial Wordfence report identified:
“Mossack Fonseca (MF), the Panamanian law firm at the center of the so-called Panama Papers Breach may have been breached via a vulnerable version of Revolution Slider. The data breach has so far brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among other famous public figures. It is the largest data breach to journalists in history, weighing in at 2.6 terabytes and 11.5 million documents.”
The vulnerability involved in the Slider Revolution plugin was severe, and the Wordfence report explains it well:
“The MF website runs WordPress and is currently running a version of Revolution Slider that is vulnerable to attack and will grant a remote attacker a shell on the web server. “
Gaining access to a “shell” on the web server is a significant problem, and may have provided the hackers with the ability to access anything on the server and even add their own content and software.
On April 8, 2016 Wordfence released additional information describing how the attackers may have breached the Mossack Fonseca email servers via WordPress and Revolution Slider. They also explained the manner in which the attackers likely gained access to client documents via Drupal. The Wordfence analysis identified details about the link between WordPress and Mossack Fonseca’s email server. The Drupal story had been covered earlier in the week by Forbes, but Wordfence added some additional data.
This Wordfence check on the Mossack Fonseca site in April 2016 shows that the version of the Revolution Slider plugin in use was still ver 2.1.7, which was seriously out of date. It’s well known that versions of Revslider all the way up to 3.0.95 are vulnerable to attack.
Wordfence identified that Mossack Fonseca had placed their site behind a firewall by this time, which would protect against this vulnerability being exploited. This was a recent change, occurring within the previous month.
Interesting that the decision was made to install a Firewall, but no effort was made to update the WordPress plugin.
Wordfence also recorded the recent IP history on Netcraft, which showed that their IP was on the same network as their mail servers.
Further analysis by Wordfence at the time identified that only recently had the firewall been placed in front of the Worpress server.
Wordfence summarized their findings in April 2016:
We’ve established that they were (and still are as of April, 2016) running one of the most common WordPress vulnerabilities, Revolution Slider.
Their web server was not behind a firewall.
Their web server was on the same network as their mail servers based in Panama.
They were serving sensitive customer data from their portal website which includes a client login to access that data.
A theory on what happened in the Mossack Fonseca breach:
A working exploit for the Revolution Slider vulnerability was published on 15 October 2014 on exploit-db which made it widely exploitable by anyone who cared to take the time. A website like mossfon.com which was wide open until a month ago would have been trivially easy to exploit. Attackers frequently create robots to hit URLs like : http://mossfon.com/wp-content/plugins/revslider/release_log.txt
Once they establish that the site is vulnerable from the above URL the robot will simply exploit it and log it into a database and the attacker will review their catch at the end of the day. It’s possible that the attacker discovered they had stumbled across a law firm with assets on the same network as the machine they now had access to. They used the WordPress web server to ‘pivot’ into the corporate assets and begin their data exfiltration.
Technical details of the vulnerability in Revolution Slider
This is a brief technical summary from one of our analysts describing the nature of the vulnerability in Revolution Slider that was exploited.
Revolution Slider (also known as Slider Revolution) version 3.0.95 or older is vulnerable to unauthenticated remote file upload. It has an action called `upload_plugin` which can be called by an unauthenticated user, allowing anyone to upload a zip file containing PHP source code to a temp directory within the revslider plugin.
The code samples below point you to where the specific problem is in revslider. Note that the revslider developer is allowing unprivileged users to make an AJAX (or dynamic browser HTTP) call to a function that should be used by privileged users only and which allows the creation of a file an attacker uploads.
A demonstration of Revolution Slider being exploited:
You can view a video demonstration showing just how easy it is to exploit the Revolution Slider vulnerability on a website running the newest version of WordPress and a vulnerable version of Revolution Slider, at this Wordfence page. <<Click Here>>
Wordfence even say that they tried to contact Mossack Fonseca to offer information and advice. They say, “As a courtesy we have reached out to Mossack Fonseca to inform them about the Slider Revolution vulnerability on their site and have not yet received a response. They appear to be protected against it being exploited, or perhaps re-exploited in this case but the WordPress plugin on the site still needs updating.”
The Wordfence analysis occurred more than one full year after the breach. Fascinating then, that for more than one full year the site was not secured, not updated, and not audited. Not only had the previous breach gone undetected for that period of time, but the vulnerabilities present in the system which could have easily been resolved with an update remained.
Even days after the documents went public, and presumably well into the time when the Mossack Fonseca team were scrambling to identify the source of their breach, the simplest WordPress plugin updates had still not been installed.
A review of the same analysis is found at webmechanix.com and their conclusion is as accurate as any:
How Does This WordPress Hack Impact Your Site?
The hack changes nothing; you’re either routinely updating your website to patch vulnerabilities or you’re increasing your vulnerability to cyberattacks.
Basic website maintenance will prevent most hacks. So, if you’re protecting sensitive client information, routine updates are the least you can do. But routine updates won’t stop every hack. That’s why we suggest going beyond the bare minimum to implement a website health and security plan. Pay for security monitoring and vulnerability repairs is well worth the price. Just ask Mossack Fonseca and their clients.