Update: We have written a follow-up post on how an attacker may have moved laterally on the networkfrom WordPress into the email server.
Mossack Fonseca (MF), the Panamanian law firm at the center of the so called Panama Papers Breach may have been breached via a vulnerable version of Revolution Slider. The data breach has so far brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among other famous public figures. It is the largest data breach to journalists in history, weighing in at 2.6 terabytes and 11.5 million documents.
Forbes have reported that MF was giving their customers access to data via a web portal running a vulnerable version of Drupal. We performed an analysis on the MF website and have noted the following:
The MF website runs WordPress and is currently running a version of Revolution Slider that is vulnerable to attack and will grant a remote attacker a shell on the web server.
The MF client portal that provides clients access to data was running (and continues to run) a version of Drupal that has over 23 vulnerabilities. This version was responsible for “Drupageddon“, a mass hacking of Drupal sites. This link to mossfon.com’s drupal changelog shows they are still running an old vulnerable version of Drupal.