Did a known vulnerable WordPress Plugin ‘Revolution Slider’ cause the Mossack Fonseca hack?

Basic security practices seemingly failed to have been put in place. Mossack Fonseca set to become yet another MASSIVE example of how a few small mistakes can lead to disaster.

  • MF  using vulnerable WordPress Plugin – Revolution Slider
  • Got access to database holding email login info
  • All emails accessed
  • Web Server not behind a firewall
  • The MF web server on same network as email servers
  • Sensitive data was accessible from customer portal

mossack fonseca security breach

Unless you have been living under a stone for the last week  (some may have moved there already…) then you will be aware of the massive data loss incurred by Mossack Fonseca (MF).   MF seems to have confirmed that the data loss was down to a hack, rather than an ‘inside job’.

It has since been claimed the hack came from 1 of 2 sources – or possibly both.

WordFence Security have identified that they believe MF were compromised by using a plugin, which had a (known) security flaw and that MF had not patched it to the latest version.

Forbes have reported that MF were apparently allowing their customers to access data via a website which just happened to using a vulnerable version of Drupal. WordFence did some analysis and found the following :-

MF runs a website on WordPress that was running a version of ‘Revolution Slider’ that is vulnerable to attack and will grant a remote attacker a shell on the web server.

MF were running version 2.1.7 – however it is known that the plugin has security issues up to version  3.0.95 . WordFence have identified that MF have now put their site behind a firewall and patched to the latest security fixes for Drupal and WordPress – but this has only happened recently.  Hopefully they have amended their network setup and put their email server on a seperate physical server. This story is far from over yet it seems.

What seems to have happened 

There was a working exploit published regarding the Revolution Slider plugin here . This means it is open to anyone to view and play with, if they so desired. Because the MF was wide open it would have been very easy to exploit.  Once any would be hacker establishes the the weak point they will simply exploit it and log it into a database , grab the data and try and make sense of it all offline. Iy may also be possible that the hackers then discovered they had access to the whole server and as a result access to other vital corporate information – rich pickings indeed.

It seems the attacker had gained access to the MF WordPress site via the widely known Revolution Slider vulnerability.  This would have given them access to the WordPress database. WordFence research has shown that MF were running two additional plugins that store login information for their email server in plain text in the database. The attacker would have read this information from the WordPress database and used it to gain access to the email server

The amount of data taken is huge it seems the information will published as and when data trails have been identified. So far it seems it is yet another ‘Hatton Garden’ type data heist that may ruin careers and force resignations of politicians.

WordFence Vulnerable Plugin Video

What you should be doing on your website

  • It seems so easy to say but always make sure your are patched to the latest security versions that your website uses.
  • If you are running more than just a website make sure it is on a different server and on a different network.
  • Obviously use a Firewall.
  • Run penetration tests on your network servers and any internet interfaces you use.

WordFence is one if not THE security plugin for WordPress, approx 1,000,000 downloads so far. And should in our opinion be installed as standard on every WordPress website. There are paid versions as well which offer more functionality.

The Wordfence WordPress security plugin provides free enterprise-class WordPress security, protecting your website from hacks and malware.

Blocking Features, Login Security, Security Scanning, WordPress Firewall, Monitoring Features, Multi-Site Security, Caching Features, IPv6 Compatible, Major Theme and Plugins Supported, Free Learning Center

Pervade Software is very different from any other solution on the market.  Their OpView product can match the functionality of all of the major monitoring systems on the market and  their OpAudit product can outperform other IT-GRC and auditing systems.

Pervade Software can go head-to-head with any product in this space because there is very little functionality that cannot be configured through the incredibly intuitive user interface.  What separates Pervade software from other similar tools is that all of the data, that would normally be handled by separate products, can be combined, correlated and displayed in ways that no other system on the market can achieve.