How Mossack Fonseca was Hacked

What comes to mind when you hear the words Panama Papers? I bet it has nothing to do with reading the newspaper while relaxing on a Panamanian beach sipping a margarita. And if that does come to mind, you have probably been living under a rock since the spring of 2016. For most of us just hearing the word or talk of the country Panama makes us think about the massive leak. 

Three years down the line we’re still talking about the Panama Papers. There’s even a new Netflix movie about to launch about the whole event. 

When the Panama Papers dropped on April 3rd 2016, it quickly had wide-reaching results across the world. The Adversary team is based in Reykjavik Iceland, which quickly became the focus of internal press due to the revelation that the Prime Minister was associated with off-shore accounts. This sparked weeks of protests which forced the Prime Minister, Sigmundur Davið Gunnlaugsson, to resign.

The breach of the Mossack Fonseca law firm was at the time, and may very well still be, one of the largest incidents to date. It’s hard to find other cases where a singular data breach has caused entire governments to collapse. 

As such, it’s reasonable to assume that it would be technically difficult to hack into a system as sensitive as Mossack Fonseca’s, right? 

Shockingly, it wasn’t. 

For us here at Adversary, this isn’t surprising. When we train development teams and discuss real-life security with them, we often experience confusion from developers when they start to use the Adversary training platform. They see how simple the labs can sometimes be and we often experience comments like

The answer is shockingly: Yes, it is very often that simple. And that’s why we always encourage developers to learn to take on the mindset of a hacker, because it’s not that difficult. Seeing developers and even non-developers experience that light-bulb moment when they replicate famous attacks like what lead to the infamous Panama Papers leak, is truly delightful. 

And that’s why we occasionally replicate these hacks as public missions to share with the world. This time, we have re-created the panama papers hack in the form of our free “Madversary Funseca” mission. 

Hack it now

So what went wrong?

As it turns out, Mossack Fonseca’s systems suffered from a laundry-list worth of security flaws. Most critically was the use of an instance of Drupal 7.23, which was released on 2013/08/07. That’s 3 years out of date! Under the OWASP Top 10 2017, this is covered by item 9, “Using Components with Known Vulnerabilities”. Out of date software like this has been implicated in many high-profile breaches, such as the 2017 breach of Equifax, which was possibly due to an out of date version of Apache Struts.

But an out of date Drupal installation was just the tip of the iceberg. On the very same webserver, they were hosting an instance of WordPress which was reported to have an out of date version of the “Revolution Slider” plugin, which was vulnerable to an unauthenticated file upload vulnerability. This, in theory, would have allowed the attacker to upload a backdoor to the server, and directly access the Customer Portal. 

It’s your corporate responsibility to be both secure and not a criminal

As a company dedicated to reducing data breaches through security training aimed to defend organizations against hacks, cases like the Panama Papers brings up a lot of questions. The whole reasoning behind wanting companies to be secure is to protect people from falling victim to an attack, but what does it mean when a hack reveals a company’s or many powerful individual’s criminal activity? 

Our training platform is built to teach developers how to hack, so they learn not to make mistakes leading to those software vulnerabilities. Sometimes we recreate famous hacks to show just how easy these can sometimes be. That said, we want to make it crystal clear that this blog and mission is purely meant to be educational and we have no intention of teaching people how to better hide their crimes. 

So go ahead and jump into our platform to experience the replicated hack for yourself and see if you can breach Madversary Funseca’s customer portal.