|Arabian Post Special| The Mossack Fonseca (MF) data breach that made Panama Papers, the biggest data leak to journalists in history, possible has been traced to a vulnerable version of a plugin used to create sliders in website designs.
According to leading cyber security firm Wordfence, Mossack Fonseca was running WordPress, one of the most popular website platforms in use, with a vulnerable version of Revoluiton Slider and the WordPress server was on the same network as their email servers when the breach occurred.
The security firm has released new information describing how the attackers may have breached the MF email servers via WordPress and Revolution Slider and presented how the attackers probably gained access to client documents via Drupal, another popular platform. Panama Papers covered some 4.8 million emails.
According to Süddeutsche Zeitung, the German publication that originally received the Panama Papers leak, the breakdown of the data structure of the Panama Papers includes over 4 million emails, 3 million database formats, 2 million pdf files, 1 million images and over 320,000 text documents.:
Email is by far the largest chunk of data in the MF breach. Last week MF sent an email to its clients saying that it had experienced unauthorized access of its email servers, confirming that the servers were compromised and making it clear this was in fact a hack.
Wordfence showed how trivially easy it was to hack into the MF WordPress website via the vulnerable version of Revolution Slider that they were running. Once you gain access to a WordPress website, you can view the contents of wp-config.php which stores the WordPress database credentials in clear text. The attacker would have used this to access the database.
MF was running the WP SMTP plugin which provides the site the ability to send mail from the website via a mail server. This plugin stores email server address and login information in plain text in the WordPress database. The login information stored is a mail server SMTP login for sending email.
Once an attacker had access to WordPress, the wp-config.php file which contains the database credentials and then the WordPress database, they can see the mail server address and a username and password to sign-in and begin to send email. They would also have had whatever other privileges were conferred on that account.
MF was also running the ALO EasyMail Newsletter plugin which provides list management functionality. One of the functions it provides is to receive bounced emails from a mail server and automatically remove those bounced mails from the subscriber list. To do this, the plugin needs access to read emails from the email server. This plugin also stores email server login information in the WordPress database in plain text. In this case the login information provides the ability to receive mail via POP or IMAP from the mail server.
Once the attacker also had access to this data, after gaining access to the WordPress database via Revolution Slider, they would have been able to sign-into the email server and would be able to read emails via POP or IMAP.
One of the key concepts in information security is the principle of least privilege. For example: User accounts should only have the access they need to do their job. But it’s easy to imagine in a company with high powered clients, the same account that a customer relationship manager uses is also used to send list emails. This would ensure that the manager sees all replies in his or her inbox. If that was the case, the attacker would have gained access to a senior staff member’s email account when they stole these email server credentials.