The Mossack Fonseca data breach, known more commonly as the Panama Papers, which occurred earlier in April contained approximately 11.5 million leaked documents which detailed the information of more than 214,488 international entities. The fallout from the leak has been catastrophic for many high profile and wealthy individuals and corporations who have been implemented now in money laundering, fraud, tax evasion, as well as the evasion of international sanctions. “John Doe,” who leaked the data, engaged in a variety of intricate processes to enable him not only access to the data, but the ability to then send the data in 4.8 million emails without being identified.
WHAT WAS LOST?
Süddeutsche Zeitung, the German publication that originally received the data, provided a breakdown of exactly what sort of data comprised the leak.
Image source: Süddeutsche Zeitung
It is apparent from the above graphic that the bulk of information provided came from emails. These emails, likely on a secure email server, contained much of the incriminating evidence within the breach. So then why would a seemingly secure email server likely be the number one source of data lost? For our purposes, let’s consider what the hacker, or more likely hackers, would need to do in order to access this sort of information; and then let’s consider what could have stopped them.
OUT OF DATE
The first step, most likely, involved accessing the company’s front facing WordPress website by exploiting a vulnerability in Revolution Slider , a slideshow widget creating a home page slideshow which common in website design. As Wordfence details in their blog, this is a known vulnerability and could have been easily exploited. Once into the site through the vulnerability, the hackers would have access to the entire site, including the WordPress database. This site included two common plug-ins which store login information for the email server in plain text in the database, thus giving them easy access to the email server.
In addition to the email server, the bulk of the remaining documents would then be accessed through the Mossack Fonseca “secure client portal” which ran on a three year old version of Drupal containing at least 25 critical vulnerabilities, including the infamous “Drupalggedon.”. Once any one of these weaknesses were exploited, the hackers had full access to all user accounts, data as well as the site database. This database also likely contained email login information used as a second access point to the email server. Additionally, once they have gained control of the client login permissions system, they would be able to access any and all client information such as documents and pdfs, no matter where they may be stored.
Important to note here: Many hackers do not gain access to a system through large scale, or brute force attacks. These attacks, though still possible, take time and money leaving a larger trail behind to follow. Instead, hackers look for small known vulnerabilities in systems to get a foot into the door. Once in, they can work their way through numerous other connected systems. This is evident in many various data breaches from Sony to Home Depot.
HOW LOCKR COULD HAVE PREVENTED THE HACK
Even if the Revolution Slider was the initial entry point, or the insecure version of Drupal, it would reasonable to suggest that if Mossack Fonseca were following a proper defense in depth strategy and using a service such as Lockr, none of the information would have been left so vulnerable and subsequently compromised. This is because Lockr exists in order to effectively manage access and API keys for systems like email and file storage that many Drupal and WordPress sites are connected to. By removing these API keys from your database, encrypting, and storing them safely in a remote server, potential damage from a compromised database or site is virtually eliminated.
You can begin using Lockr in 2 easy steps: First by installing the modules in Drupal or plugins for WordPress. Then you simply configure your account by providing an email address in the module or plugin settings. Within minutes you can register an account and deploy an enterprise-grade key storage service to keep you safe and away from prying eyes that may already have a foot in your site’s front door..