A website like which was wide open until a month ago would have been trivially easy to exploit. They were serving sensitive customer data from their portal website which includes a client login to access that data.Ī theory on what happened in the Mossack Fonseca breach:Ī working exploit for the Revolution Slider vulnerability was published on 15 October 2014 on exploit-db which made it widely exploitable by anyone who cared to take the time.Their web server was on the same network as their mail servers based in Panama.Their web server was not behind a firewall.We’ve established that they were (and still are) running one of the most common WordPress vulnerabilities, Revolution Slider.You can view the IP addresses used for email for MF below which are all on the same network block: We also show they’re running VPN remote access software. further confirms that this was a recent move to protect their website:Īccording to service crawler Shodan, one of the IP’s on their 200.46.144.0 network runs Exchange 2010 mail server which indicates this network block is either their corporate network or at the very least has a range of IT assets belonging to the company. Looking at their IP history on Netcraft shows that their IP was on the same network as their mail servers. This is a recent change within the last month. It appears that MF have now put their site behind a firewall which would protect against this vulnerability being exploited. Versions of Revslider all the way up to 3.0.95 are vulnerable to attack. Viewing this link on the current MF website to a Revolution Slider file reveals the version of revslider they are running is 2.1.7. The MF website runs WordPress and is currently running a version of Revolution Slider that is vulnerable to attack and will grant a remote attacker a shell on the web server. We performed an analysis on the MF website and have noted the following: It is the largest data breach to journalists in history, weighing in at 2.6 terabytes and 11.5 million documents.įorbes have reported that MF was giving their customers access to data via a web portal running a vulnerable version of Drupal. The data breach has so far brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among other famous public figures. Mossack Fonseca (MF), the Panamanian law firm at the center of the so called Panama Papers Breach may have been breached via a vulnerable version of Revolution Slider. Update: We have written a follow-up post on how an attacker may have moved laterally on the network from WordPress into the email server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |