You have undoubtedly heard about it in recent days from the Panama Papers affair. But yes ! This is the case that refers to the massive leak of documents from Mossack Fonseca, the Panamanian firm that manages offshore companies.
As the press continues to give details of these documents, it is worth asking how was this data obtained? Is this an employee of the Panamanian law firm Mossack Fonseca who decided to disclose documents as did Edward Snowden ?
During a interview with Reuters, Ramon Fonseca, one of the founders of the law firm claimed to have been the victim of a hack operated from foreign servers. “We carried out an internal audit. It is not a question of a leak, it is a question of piracy, ”he insisted.
Hacking of firm servers allowed unknown hackers to extract 2,6TB of data, including 4,8 million email messages, 2,2 million PDF files, 1,1 million images, and 320 documents in text format.
But how could they have hacked this data?
A representative from Mossack Fonseca confirmed that the hack was carried out from the email. It is not known how it happened, but tests by external security researchers believe that firm Mossack Fonseca did not enable TLS security protocols to encrypt its emails.
“There are several ways to carry out an attack on a mail server,” explained Zak Maples, security consultant for cybersecurity firm MWR InfoSecurity. According to the consultant, it appears that the server itself has been hacked, and not the individual mailboxes.
Drupal and WordPress may be the cause
Other sources corroborate the thesis of piracy, which could have been facilitated by vulnerabilities within the CMS used by Mossack Fonseca, namely the content managers Drupal et WordPress.
As reported Forbes, the firm's website runs an old version of Drupal (7.23). However, this version is prior to a security patch which fixed a huge flaw from version 7.32.
But other security researchers have discovered another door that could have allowed a hacker to take control of the servers. If the firm's client site is under Drupal, the main site is under WordPress.
The company Wordfence, specializing in the security of the ubiquitous content manager, noticed that the installation WordPress was using an old version of the plugin Revolution Slider, known to have a serious flaw.
Version 3.0.95 of Revolution Slider indeed contains a vulnerability that allows a hacker to download any file from server. We can for example easily download wp-config.php file. This file contains all the confidential information that WordPress needs to access the site's database.
The company notes that an attacker would therefore have was able to take control of the server on which the WordPress installation was located...The same server that hosted the firm's emails.
Who is the pirate?
The source is unknown. And newspapers that publish articles about the leaked documents probably do not know his identity. A person reportedly transmitted anonymously via encrypted messaging these documents in 2015 to the German newspaper Süddeutsche Zeitung.