DOC
:01.txt
The Mossack Fonseca (MF) data breach, aka Panama Papers, is the largest data breach to journalists in history and includes over 4.8 million emails. Yesterday we broke the story that MF was running WordPress with a vulnerable version of Revolution Slider and the WordPress server was on the same network as their email servers when the breach occurred. Today we will release new information describing how the attackers may have breached the MF email servers via WordPress and Revolution Slider. We will also summarize below how they probably gained access to client documents via Drupal. We are breaking the story today about the link between WordPress and MF’s email server. The Drupal story has already been covered earlier this week in the media by Forbes (see below), but we are providing some data to support it. How they hacked email According to Süddeutsche Zeitung, the German publication that originally received the Panama Papers leak, this is the breakdown of the data structure of the Panama Papers: Source: Süddeutsche Zeitung Email is by far the largest chunk of data in the MF breach. Last week MF sent an email to its clients saying that it had experienced unauthorized access of its email servers, confirming that the servers were compromised and making it clear this was in fact a hack. Yesterday we showed how trivially easy it was to hack into the MF WordPress website via the vulnerable version of Revolution Slider that they were running. Once you gain access to a WordPress website, you can view the contents of wp-config.php which stores the WordPress database credentials in clear text. The attacker would have used this to access the database. Our analyst’s research shows that www.mossfon.com is running two plugins in addition to Revolution slider: MF are running the WP SMTP plugin which gives you the ability to send mail from your website via a mail server. This plugin stores email server address and login information in plain text in the WordPress database. The login information stored is a mail server SMTP login for sending email. Here is a screenshot showing the login information for this plugin appearing in a database as plain text on one of our test servers: As you can see above, once an attacker had access to WordPress, the wp-config.php file which contains the database credentials and then the WordPress database, they can see the mail server address and a username and password to sign-in and begin to send email. They would also have had whatever other privileges were conferred on that account. MF are also running the ALO EasyMail Newsletter plugin which provides list management functionality. One of the functions it provides is to receive bounced emails from a mail server and automatically remove those bounced mails from the subscriber list. To do this, the plugin needs access to read emails from the email server. This plugin also stores email server login information in the WordPress database in plain text. In this case the login information provides the abili...
Top topics in this doc (% words in doc assigned to this topic)
(47%)
wordpress server slider revolution mf website running version attacker database
...
(24%)
access email site portal drupal client web systems hack servers
...
(10%)
information details largest list link years read clear ddeutsche email
...
[Index]