The Panama Papers Hack: Further Proof That Hacking Is Changing the World

Further Proof That Hacking Is Changing the World

Welcome back, my novice hackers!

You have probably heard of the Panama Papers hack by now. This was a hack of the servers at Mossack Fonseca, a major law firm in Panama. This law firm specializes in assisting the rich and powerful to hide their wealth from taxes and scrutiny by creating tax havens overseas.

The hack included over 4.8 million emails, 3 million database files, and 2.1 million PDFs. This is the largest data leak in history—over 20 times the scale of the WikiLeaks data leak of 2010.

These emails and documents detailed the inner workings of a law firm that specializes in assisting wealthy individuals from around the world that were using shell corporations to hide wealth and income. Besides the very wealthy and well-connected, many political leaders were implicated in this data leak including Vladimir Putin, UK Prime Minister David Cameron, Argentina's Prime Minister, Iceland's Prime Minister, and many others.

Former Icelandic PM Sigmundur David Gunnlaugsson. Image by Control Arms/Flickr

Repercussions of the Panama Papers

This hack and the information leak has been a political earthquake with reverberations and aftershocks rumbling around the world. Its revelations are impacting and beginning to crack some of the status quo power structures worldwide.

First, it has led to the resignation of Iceland's Prime Minister, who was found to be using Mossack Fonseca to hide assets and profit from his own country's financial crisis from 2008 to 2010.

Second, it has led to an apology by the Prime Minister of the UK, David Cameron, who is still under pressure to resign when it was found that he was hiding assets in Panama.

Third, it is pressuring political leaders spanning the globe to explain why they had accounts in Panama to hide their wealth.

Lastly, and maybe most importantly, it is leading to efforts in several countries to tighten laws on these types of tax dodges that the rich and powerful use to hide their wealth and keep from paying taxes. In a world where nearly every nation on earth is facing a budget crisis and piling up huge amounts of debt because tax revenues are not keeping pace with spending, this is critical.

Protesters in London calling for David Cameron's resignation. Image via Dan Kitwood

How They Hacked Mossack Fonseca

No one knows for certain how the attackers gained access to Mossack Fonseca's servers (with the exception, of course, the attackers themselves), a few key details are known. Probably most importantly, this super secretive law firm failed to take even the most basic security measures in protecting their client's information on their servers.

It appears that the law firm's Outlook webmail access had not been updated since 2009, leaving it vulnerable to attacks on its insecure and obsolete SSLv2. This is likely how the attackers were able to obtain access to the emails.

In addition, the firm's website was built on the content management system Drupal and had not been updated since 2013 (we know this from the website's changelogs). As you can see in the screenshot below, of the known vulnerabilities listed on SecurityFocus, Drupal has had over 25 vulnerabilities discovered since that 2013 update.

Although there is no way to be certain what exploit was used to gain access to the Panama Papers, knowing that the website uses Drupal, we can scan the known vulnerabilities that would give the attackers access to the firm's database.

Notice in the screenshot above the "Drupal SQL Comment Filtering System SQL Injection Vulnerability." This vulnerability applies to Drupal versions prior to 7.39. Drupal version 7.39 was released August 19th, 2015. Since the Drupal that the Mossack Fonseca was using had not been updated since 2013, this vulnerability was likely available to the attackers.

If we click on and expand that vulnerability, we can see under the discussion tab that the exploit of this vulnerability "could allow an attacker to execute arbitrary code, to gain elevated privileges and to compromise the application, access or modify data or exploit latent vulnerabilities in the underlying database."

All of which these attackers did. This is probably how the attackers were able to access the database, the PDFs, and gain root privileges on the database server.

The Most Important Skill Set of the 21st Century

Nearly everyday a new security breach takes place. Many of them are cybercrime accounting for over $400 billion in losses worldwide every year. Some are cyber espionage and cyber warfare, changing the landscape of international relations and warfare in the 21st century. Some, like the Panama Papers hack, rock the world as we know it.

Whatever the nature of the hack, one thing is clear: hacking is the most important skill set of the 21st century and Null Byte is the place to learn it!

20 Comments

This is scary how badly they kept up. I mean 2009 software?

You are surprised? That stuff is normal business nowadays.

-Phoenix750

Only few corporations have the money and necessity to take a major effort into securing their systems. Mainly I would say it's because security now costs so much money that it would be too big of a budget for a low budget firm to keep up with the technology to keep their shit secure from intruders, given the fact that new vulnerabilites are discovered every day now.

Too much money? more like system admins being too lazy to do their job. I could buy most of the necessary security equipment myself, and I'm merely a 17 year old teenager.

-Phoenix750

to run a successful firm with security that will keep skilled hackers away from compromising their systems will cost money. Nothing is free in this world, and vulnerabilities are found every day, exploits are developed and maybe even 0day exploits to the best of our knowledge. Facebook and Google for starters are companies with major budgets, and they are guaranteed investing a lot of money in their comapny to ensure its safety. And a firms security comes down to more than just a sys admin looking for clues from a lack of skill hacker. It comes down to skilled and well educated people within the it-industry to tell the CEO's of these companies whats wrong with their network and computers etc. in order to keep them up to date. Corporations have penetration testers testing their systems and finding vulns to fix them. Those people have to be paid, and they aren't cheap. Ensuring an individuals security is barely even a fraction of what a successful firm needs to take into consideration.

So yeah it does cost a lot of money. and obviously to ensure your security wouldn't be much of a hazzle with the financial part because you're exactly a 16 year old which means you dont need the same type of protection as a major corporation. The comparison way too far away from each other.

"To run a successful firm with security that will keep skilled hackers away from compromising their systems will cost money."

If you are running a successful firm, you do have the money to invest in security, no other excuses. Period. Not all companies are the size of Facebook yes, but when you are smaller, you don't take more security measures than you actually need. And thus, lower cost!

-Phoenix750

heh oh you guys are in for a treat when you get your first job in the industry :P except you Phoenix750 <3
~Suser

Just today i heard from a friend of mine about a leak from the Syrian Gerverment, also few gigas of information. this is the age of information, which basically means that it's the age of Hackers! ;)

It has not been proved that it has been cyber hackers who leaked this. It could very well have been an employee.

Ofcourse they'd say that, because that would imply it was something they had no control over. They are trying to save their credibility as a provider of the 'services' they do.

@OTW : Sir how do you know that " law firm's Outlook webmail access had not been updated since 2009" & you said about website changelogs....Did you perform Reconnaissance??? how do we know about website changelogs??

Yeah I have the same question?

PLOT TWIST: OTW is the hacker who leaked the Panama Papers. (Of course not really, but it's a fun thought)

-Phoenix750

I'm even curious about how they found out that the site was running Drupal. Like we can check by adding '/wp-admin' after a site's domain to see if it runs on Wordpress, for example 'sitepoint.com/wp-admin'. I guess I'm a noob!

OTW did stop a nuclear strike by a random dictator so you never know :P

Share Your Thoughts

  • Hot
  • Latest