By now you’ve likely heard of the Panama Papers Breach. It is the largest data breach to journalists in history, weighing in so far at 2.6 terabytes and 11.5 million documents. The data breach has so far brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among other famous public figures.
But did you know it may all have started with poor website security and an out-of-date WordPress plugin?
Mossack Fonseca (MF), is the Panamanian law firm at the center of the controversy. The MF website runs WordPress and up until April 5th, was running a version of the popular Revolution Slider plugin that was vulnerable to attack and would grant a remote attacker a “shell” (command-line access) on the web server.
It appears that MF have now put their site behind a firewall which would protect against this vulnerability being exploited. This is a recent change within the last month.
Revolution Slider (also known as Slider Revolution) version 3.0.95 or older is vulnerable to unauthenticated remote file upload. It contains an action called `upload_plugin` which can be called by an unauthenticated user. This allows anyone to upload a zip file containing programming code to a temporary directory inside the Revolution Slider plugin.
A working exploit for the Revolution Slider vulnerability was published in October of 2014 to the hacker community. This made it widely exploitable by anyone who cared to take the time. A website like mossfon.com which was wide open until a month ago would have been trivially easy to spot and attack. Attackers frequently create “robot” programs to automatically test hundreds of sites a day for such possible expolits.
Once they establish that the site is vulnerable from the above URL the robot will simply exploit it and log it into a database and the attacker will review their catch at the end of the day. It’s possible that the attacker discovered they had stumbled across a law firm with assets on the same network as the machine they now had access to. They used the WordPress web server to ‘pivot’ into the corporate assets and begin their data exfiltration.
To protect your WordPress installation it is very important that you update your plugins, themes and core when an update becomes available. You should also monitor updates for security fixes and give those the highest priority. You can find out if a WordPress plugin includes a security update by viewing the changes in the “Changelog”.
In this case the site owners did not update for quite some time. This inattention resulted in world leaders being toppled and the largest data breach to journalists in history.