Welcome back, my novice hackers!
You have probably heard of the Panama Papers hack by now. This was a hack of the servers at Mossack Fonseca, a major law firm in Panama. This law firm specializes in assisting the rich and powerful to hide their wealth from taxes and scrutiny by creating tax havens overseas.
The hack included over 4.8 million emails, 3 million database files, and 2.1 million PDFs. This is the largest data leak in history—over 20 times the scale of the WikiLeaks data leak of 2010.
These emails and documents detailed the inner workings of a law firm that specializes in assisting wealthy individuals from around the world that were using shell corporations to hide wealth and income. Besides the very wealthy and well-connected, many political leaders were implicated in this data leak including Vladimir Putin, UK Prime Minister David Cameron, Argentina's Prime Minister, Iceland's Prime Minister, and many others.
This hack and the information leak has been a political earthquake with reverberations and aftershocks rumbling around the world. Its revelations are impacting and beginning to crack some of the status quo power structures worldwide.
First, it has led to the resignation of Iceland's Prime Minister, who was found to be using Mossack Fonseca to hide assets and profit from his own country's financial crisis from 2008 to 2010.
Second, it has led to an apology by the Prime Minister of the UK, David Cameron, who is still under pressure to resign when it was found that he was hiding assets in Panama.
Third, it is pressuring political leaders spanning the globe to explain why they had accounts in Panama to hide their wealth.
Lastly, and maybe most importantly, it is leading to efforts in several countries to tighten laws on these types of tax dodges that the rich and powerful use to hide their wealth and keep from paying taxes. In a world where nearly every nation on earth is facing a budget crisis and piling up huge amounts of debt because tax revenues are not keeping pace with spending, this is critical.
No one knows for certain how the attackers gained access to Mossack Fonseca's servers (with the exception, of course, the attackers themselves), a few key details are known. Probably most importantly, this super secretive law firm failed to take even the most basic security measures in protecting their client's information on their servers.
It appears that the law firm's Outlook webmail access had not been updated since 2009, leaving it vulnerable to attacks on its insecure and obsolete SSLv2. This is likely how the attackers were able to obtain access to the emails.
In addition, the firm's website was built on the content management system Drupal and had not been updated since 2013 (we know this from the website's changelogs). As you can see in the screenshot below, of the known vulnerabilities listed on SecurityFocus, Drupal has had over 25 vulnerabilities discovered since that 2013 update.
Although there is no way to be certain what exploit was used to gain access to the Panama Papers, knowing that the website uses Drupal, we can scan the known vulnerabilities that would give the attackers access to the firm's database.
Notice in the screenshot above the "Drupal SQL Comment Filtering System SQL Injection Vulnerability." This vulnerability applies to Drupal versions prior to 7.39. Drupal version 7.39 was released August 19th, 2015. Since the Drupal that the Mossack Fonseca was using had not been updated since 2013, this vulnerability was likely available to the attackers.
If we click on and expand that vulnerability, we can see under the discussion tab that the exploit of this vulnerability "could allow an attacker to execute arbitrary code, to gain elevated privileges and to compromise the application, access or modify data or exploit latent vulnerabilities in the underlying database."
All of which these attackers did. This is probably how the attackers were able to access the database, the PDFs, and gain root privileges on the database server.
Nearly everyday a new security breach takes place. Many of them are cybercrime accounting for over $400 billion in losses worldwide every year. Some are cyber espionage and cyber warfare, changing the landscape of international relations and warfare in the 21st century. Some, like the Panama Papers hack, rock the world as we know it.
Whatever the nature of the hack, one thing is clear: hacking is the most important skill set of the 21st century and Null Byte is the place to learn it!