Pros examine Mossack Fonseca breach, identify WordPress, Drupal flaws

Nearly a week after the Panamanian law firm Mossack Fonseca sent an alert to the firm's ultra high-net-worth clients announcing that the firm's email server was breached, a cyber-security executive says his firm has pieced together the details of how the breach of 2.6 terabytes of confidential documents may have occurred.

Mossack Fonseca's main website currently runs an outdated version of Revolution Slider, a WordPress plugin that could grant a remote attacker a shell on the web server, said Feedjit CEO Mark Maunder, in speaking with SCMagazine.com.

Maunder said his team assessed Mossack Fonseca's IP history and discovered that the firm's website IP was on the same network as its mail servers. The law firm's website was wide open until a month ago and would have been “trivially easy” to exploit, he wrote on Wordfence.com, in a security update.  

Wordfence is a WordPress security plugin produced by Feedjit. The update also mentioned that the law firm's web portal accessed by clients reportedly used a vulnerable version of Drupal.

An industry source told SC that Mossack Fonseca's website is “riddled with unpatched vulnerabilities”.

Emil Eifrem, CEO of Neo Technology, told SCMagazine.com that a vulnerability of this magnitude goes against “basic IT operations”. 

Eifrem's firm created the graph database used by the International Consortium of Investigative Journalists (ICIJ) to organise the documents contained in the Panama Papers that were exfiltrated from Mossack Fonseca. If the mail servers were on the same network, it would imply the firm did not “have the fundamentals in place,” he said.

David Gibson, vice president of strategy and market development at Varonis, told SC the idea that files were downloaded internally seems unlikely. “This doesn't seem like mining normal user mailboxes to me. If that is the case, then it shows how glaringly weak the detective capabilities,” he said.

“Clearly they are not security-conscious, because there was a gaping hole,” said Maunder. “It's unlikely that they have intrusion protections in place.”