Panama Papers hacked through PHP CMS WordPress

The Panama Papers data breach, known as The Mossack Fonseca (MF) is one of the largest breach in history and includes 4.8 million emails. Tha Panama law company was hacked via a WordPress module called Revolution Slider. This plugin is used on more than 2 million websites. Because it’s so popular, there are lots of hacks that targer Revolution Slider.

What is Panama Papers?

The Panama Papers scandal has brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among other famous public figures.

The data breach consists of 2.6 terabytes and 11.5 million documents. The #PanamaPapers database contain details about more than 200 000 offshore entities from all over the world. Tha breach consists of email accounts, passports copies, invoices, banking documents and of course, thousands of offshore registration acts.

This documents offer details about secret business of 128 politicians from all over the world. More than 11 million of documents demonstrates how a global industry, built from law firms and huge banks, sell secrets to politicians, fraudsters and drug traffickers, but also to billionaires and some celebrities.

How does this Cyber Attack did happened?

The Mossack Fonseca website is running WordPress and is currently running a version of Revolution Slider that is vulnerable to attack and will grant a remote attacker a shell on the web server. After we inspected the home page source code, we realized that the current MF website uses an older version of Revolution Slider, they were using: 2.1.7. All versions of the Revolution Slider (Revslider) up to 3.0.95 are vulnerable to hacking attacks. For more details, see the image below:

Also, according to their DNS results, the web server and the mail server were hosted on the same machine. More important is that they were hosting private and confidential information on their WordPress database. They weren’t using a Firewall, and there are lots of security companies nowadays.

So, a wordpress website using old version of plugins is a massive security risk. But I guess that Mossack Fonseca website administrators weren’t thinking that something like this could happen.

Conclusion

What everybody should learn from this data breach is that:

– you should always update your CMS (it’s not important what CMS you use, WordPress, Drupal or Joomla, it’s important to be up to date)
– if you host confidential data on your website, you must use a SSL certificate and you must be firewall and ddos protected (there are services like Cloudflare and Sucuri)
– check your website from time to time against new or changed files (it doesn’t matter what programming language is used, if someone changed your index or header/footer files, there are 99.9% chances to be hacked)
– check your database from time to time (there’s a database table used for storing user accounts, for example admins, if your website was hacked, there are chances to find new admin accounts)
– never trust inputs (validate all input fields)