[BreachExchange] Mossack Fonseca Breach – WordPress Revolution Slider Plugin Possible Cause

[Inga Goddijn]

https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/

Mossack Fonseca (MF), the Panamanian law firm at the center of the so
called Panama Papers Breach may have been breached via a vulnerable version
of Revolution Slider. The data breach has so far brought down the Prime
Minister of Iceland and surrounded Russian President Putin and British
Prime Minister David Cameron with controversy, among other famous public
figures. It is the largest data breach to journalists in history, weighing
in at 2.6 terabytes and 11.5 million documents.

Forbes have reported
<http://www.forbes.com/sites/thomasbrewster/2016/04/05/panama-papers-amazon-encryption-epic-leak/#3bedf6c1df59>
that MF was giving their customers access to data via a web portal
<https://portal.mossfon.com/> running a vulnerable version of Drupal. We
performed an analysis on the MF website and have noted the following:

*The MF website runs WordPress and is currently running a version of
Revolution Slider that is vulnerable to attack and will grant a remote
attacker a shell on the web server. *

Viewing this link on the current MF website to a Revolution Slider file
<http://mossfon.com/wp-content/plugins/revslider/release_log.txt> reveals
the version of revslider they are running is 2.1.7. Versions of Revslider
all the way up to 3.0.95 are vulnerable to attack.

It appears that MF have now put their site behind a firewall which would
protect against this vulnerability being exploited. This is a recent change
within the last month.

Looking at their IP history on Netcraft
<http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fmossfon.com%2F>
shows that their IP was on the same network as their mail servers.

ViewDNS.info further confirms
<http://viewdns.info/iphistory/?domain=mossfon.com> that this was a recent
move to protect their website:

According to service crawler Shodan, one of the IP’s on their 200.46.144.0
network runs Exchange 2010 mail server
<https://www.shodan.io/host/200.46.144.136> which indicates this network
block is either their corporate network or at the very least has a range of
IT assets belonging to the company. We also show they’re running VPN remote
access software <https://www.shodan.io/host/200.46.144.136>.

You can view the IP addresses used for email for MF below which are all on
the same network block:

To summarize so far:

   - We’ve established that they were (and still are) running one of the
   most common WordPress vulnerabilities, Revolution Slider.
   - Their web server was not behind a firewall.
   - Their web server was on the same network as their mail servers based
   in Panama.
   - They were serving sensitive customer data from their portal website
   which includes a client login to access that data.

*A theory on what happened in the Mossack Fonseca breach:*

A working exploit for the Revolution Slider vulnerability was published on
15 October 2014 on exploit-db <https://www.exploit-db.com/exploits/35385/>
which made it widely exploitable by anyone who cared to take the time. A
website like mossfon.com which was wide open until a month ago would have
been trivially easy to exploit. Attackers frequently create robots to hit
URLs like : http://mossfon.com/wp-content/plugins/revslider/release_log.txt

Once they establish that the site is vulnerable from the above URL the
robot will simply exploit it and log it into a database and the attacker
will review their catch at the end of the day. It’s possible that the
attacker discovered they had stumbled across a law firm with assets on the
same network as the machine they now had access to. They used the WordPress
web server to ‘pivot’ into the corporate assets and begin their data
exfiltration.

*Technical details of the vulnerability in Revolution Slider*

This is a brief technical summary from one of our analysts describing the
nature of the vulnerability in Revolution Slider that was exploited.

Revolution Slider (also known as Slider Revolution)
<http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380>
version 3.0.95 or older is vulnerable to unauthenticated remote file
upload. It has an action called `upload_plugin` which can be called by an
unauthenticated user, allowing anyone to upload a zip file containing PHP
source code to a temp directory within the revslider plugin.

The code samples below point you to where the specific problem is in
revslider. Note that the revslider developer is allowing unprivileged users
to make an AJAX (or dynamic browser HTTP) call to a function that should be
used by privileged users only and which allows the creation of a file an
attacker uploads.

*A demonstration of Revolution Slider being exploited*

The following video demonstrates how easy it is to exploit the Revolution
Slider vulnerability on a website running the newest version of WordPress
and a vulnerable version of Revolution Slider.

*Conclusion*

As a courtesy we have reached out to Mossack Fonseca to inform them about
the Slider Revolution vulnerability on their site and have not yet received
a response. They appear to be protected against it being exploited, or
perhaps re-exploited in this case but the WordPress plugin on the site
still needs updating.

To protect your WordPress installation it is critically important that you
update your plugins, themes and core when an update becomes available. You
should also monitor updates for security fixes and give those the highest
priority. You can find out if a WordPress plugin includes a security update
by viewing the changes in the “Changelog”.

In this case the site owners did not update for some time and it resulted
in world leaders being toppled and the largest data breach to journalists
in history.

*Update:* 7 April at 3:52 PST – We should add that one of the firm partners
has confirmed that the data was exfiltrated through a hack. There seemed to
be some confusion about whether this was an inside job or a hack. Source: BBC
News <http://www.bbc.com/news/world-latin-america-35975503>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160411/13ab1a57/attachment.html>