Mossack Fonseca, the law firm at the center of the Panama Leaks scandal, could have been hacked through outdated versions of WordPress and Drupal, according to analysis by the team behind Wordfence, a security plugin for WordPress
Significant security holes in both CMS platforms, which were being used to power the front end site and a customer portal, could have resulted in the leak that’s shined a harsh light on the wealth of the 1%.
Out of Date CMS and a Vulnerable Plugin:
The law firm’s front end site was using a WordPress plugin that is vulnerable to attack and can provide shell access on the server to a hacker Revolution Slider, the affected plugin, is one of the most common WordPress security vulnerabilities.
A working exploit for Revolution Slider was posted back in October, 2014. Since then, any hacker with enough time on his hands can exploit sites that use the outdated insecure plugin. The working theory is that the hackers found out that Mossack Fonseca were vulnerable via automated robots that routinely check for the plugin invulnerability. Once it was logged as a possible target, the hackers probably rubbed their hands in glee at the unexpected stupidity of storing sensitive data on the same server as web content.
Mossack Fonseca’s WordPress and Drupal installs were out of date by 3 months and 2 years respectively
That’s not all. The firm’s Drupal portal for customers submitting sensitive business information was also out of date by a staggering 2 years. What’s even worse is that Drupal 7 was termed critically vulnerable and experts recommended an immediate upgrade in a later relase. At the time, the Drupal Security Team said, “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC; that is, seven hours after the announcement.”.
So it’s possible that the company’s Drupal site was backdoored for over a year. With the web and email servers being on the same network, it was a matter of time before hackers got to the emails once they had access.
While Mossack Fonseca has put up a firewall in the last month and have updated the WordPress core, it would still be possible to exploit the site if they were running the outdated plugin, notes Wordfence.
In conclusion, we’d like to stress the importance of basic security principles. Just update. If you are using a site that powered by the WordPress CMS, it’s essential that you upgrade your plugins, themes and WP itself as soon as a newer version is available. While your data may not force leaders of countries and MNCs to resign, it’s still valuable.
Image source: Wired