Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Sloppy patching, insecure plug-ins made Panama Papers leak possible

Fahmida Y. Rashid | April 8, 2016
WordPress, Drupal, Joomla, and PHP developers need to get their security acts together

Time and time again, data-breach headlines illustrate the cost of ignoring basic security. Regularly updating software is Security 101, especially if the application in question is public-facing or accessible over the Internet.

For content management systems such as WordPress, Drupal, and Joomla, you have to update the core. More important, you have to update the modules and plug-ins. Having the latest software is not going to mean much if the attackers can waltz through security holes in plugins and third-party modules.

The Panama Papers leak, exposing how politicians and the wealthy hide money from being taxed, may have been made possible because the law firm that was hacked didn't do that Security 101.

Whoever was behind the Panama Papers leak had to first gain access to the Mossack Fonseca firm's network, then somehow transfer out 2.6TB worth of emails, documents, images, and database information. The Panamanian law firm claimed the attackers hacked the email server, and while that may still be true, it appears the attackers could have just as easily strolled in through vulnerable CMS software.

Mossack Fonseca uses WordPress on its main website and Drupal on the customer portal for sharing sensitive information, and both Its Drupal and WordPress sites were outdated, according to an extensive analysis by the team behind WordFence, a WordPress security plug-in. WordPress was three months out of date, and Drupal was almost two years out of date.

It gets worse. Mossack Fonseca was running Revolution Slider, "one of the most common WordPress vulnerabilities," WebFence reported, and WebFence believes the Web server was not behind a firewall at the time of the attack.

"In this case, the site owners did not update for some time, and it resulted in world leaders being toppled and the largest data breach to journalists in history," said Mark Maunder, CEO of Feedjit, the company behind WordFence.

An outdated plug-in opened the WordPress door

Mossaca Fonseca was running Revolutions Slider version 2.1.7. The latest available version is currently 5.2. Revolution Slider versions 3.0.95 and older have a vulnerability that lets unauthenticated users remotely upload files, such as a Zip file containing PHP source code, to a temporary directory in the plug-in directory. Aworking Revolution Slider exploit was published on exploit-db back in October 2014, making it "trivially easy" for a remote attacker to gain shell on the Web server, Maunder wrote.

It appears the law firm put its website behind a firewall within the last month, so the Revolution Slider vulnerability now cannot be exploited directly. But it doesn't appear that the plug-in has been updated yet. Even if the core WordPress installation had been up to date, the WordFence team found that it could still exploit the vulnerability if the outdated plug-in was installed.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.