In the wake of any anonymous data leak, rumours abound as to the source and method of penetration (or subversion) of the company’s security systems. Was it a disgruntled employee? A state funded incursion to point all eyes at tax avoidance? Commercial espionage by a competitor?
According to various sources online, it appears that the truth may be far more pedestrian: they simply didn’t have their house in order when it came to Cyber Security.
Simple WordPress Exploit
Due to the Revolution Slider vulnerability, hacking the Mossack Fonseca website’s Achilles heel would have been a simple and well-documented hack.
It is believed that by compromising the website, hackers were then able to access the WordPress database (also relatively simple) and extract information stored in the website database that pertained to the main email server. This gave them a foot in the door.
Vulnerable Customer Portal
Similar to web applications, their customer portal was built on top of a framework – in this case, ‘Drupal’ – an often-used framework for complex websites.
Unfortunately, the Drupal framework – like the Revolution Slider – was seriously out of date, using a version (7.23) with known and published vulnerabilities.
Additionally, a text file (called ‘CHANGELOG.txt’) containing version information about Drupal was left in place, giving hackers an exact reference for the type of exploits they could expect to find in the code.
A Common Problem
This situation is all too common because once websites are built, companies seldom want to update the coding behind what people see (or pay for it to be updated).
A key service offered by Fresh Mango to combat this is monthly health checks for websites (and also for servers/PCs), customers that opt for these services know that they are minimizing their attack surface, preventing them from being the ‘soft target’.
Unfortunately, as Mossack Fonseca have discovered, dealing with their website vulnerabilities now has very much been ‘Closing the door when the horse has bolted’ (AKA too little, too late) – in their case, the hack began in 2014 and ran a lengthy course. The processed data didn’t hit the world’s press until all communications with the anonymous source had ceased and all traces of those communications had been destroyed. Even if they had updated their website a year ago, the leak would still have occurred which highlights just how important it is that security efforts are an ongoing,
There are multiple tools available for scanning WordPress, Drupal and similarly built websites for vulnerabilities. To see how straightforward it is, we recommend downloading and using Kali, a free open-source security tool.