Was the Mossack Fonseca leak down to a WordPress plugin vulnerability?

The Panamanian law firm Mossack Fonseca is currently at the centre of the World’s largest data breech to date. 2.6 terabytes containing 11.5 million documents have been leaked. So far this data breach has caused the Prime Minister of Iceland to resign, surrounded Russian President Putin and British Prime Minister David Cameron with controversy and who knows what else will be discovered as tax authorities round the World start their investigations. Whilst the details of the attack on Mossack Fonseca haven’t been fully revealed there is plenty of speculation and evidence that the cause is down to Lax network security.

Panama Papers Data Breach

It was reported by Forbes that Mossack Fonseca was giving their customers access to data via a web portal running a vulnerable version of Drupal. However, WordFence, WordPress security plugin experts performed their own tests on the Mossack Fonseca website and discovered that the Mossack Fonseca website runs WordPress and is currently running an out of dates version of Revolution Slider that is vulnerable to attack. This vulnerable plugin will grant a remote attacker a shell on the web server. We took a look at the plugins release logs ourselves and took the following screen grab.

Mossack Fonseca Panama Papers Leak

The Revolution Slider release log file reveals the version of revslider Mossack Fonseca are running is 2.1.7. It is well known that versions of Revslider all the way up to 3.0.95 are vulnerable to attack. Whilst the website is still running the vulnerable plugin, it has been placed behind a firewall protecting it from the vulnerability. Further research carried out by WordFence showed that the website was hosted on the same network as their mailservers and was not behind a firewall. The fact that they were also serving sensitive customer data from their portal website meant that the vulnerability on their WordPress site was the way into their network.

Attackers frequently create robots to hit URLs like release logs in order to find out if a site is running vulnerable plugins or modules. Once they establish that the site is vulnerable the robot will exploit it and log it into a database where the attacker will review. Could an attacker have discovered that a law firm was storing assets on the same network as the machine they now had access to? If this was the case, the WordPress plugin vulnerability was used to ‘pivot’ into the corporate assets and begin extracting data.

The following video, created by WordFence Security, demonstrates how easy it is to exploit the Revolution Slider vulnerability on a website running the newest version of WordPress.

Possible other scenarios

Other security experts think that Mossack Fonseca was the victim of a spear-phishing attack. This is when an email releases malware and in this case opened up access to the firm’s network. The tricky bit is that if the attack came from outside the company, the information on who to target in the attack had to come from someone in the company. Judging by the sheer amounts of data leaked, this would indicate the target had to be someone very senior in the firm or that every user in the company had access to all files on the server.

Regardless of how access was gained, once the hackers were inside the network they had access with the company’s data. Apparently none of it was segmented and restricted access to specific people was not implemented. None of the data was encrypted and with nobody monitoring network data traffic, 2.6 terabytes of data was extracted from the company’s network without anyone noticing.


According to the German publication that originally received the Panama Papers leak, Süddeutsche Zeitung, data contained in emails was the largest source of the leak. WordFence Security also discovered that the law firm was using two plugins which stored Email SMTP details unencrypted in the database, WP SMTP plugin and ALO EasyMail Newsletter plugin. It is feasible to deduce that if a hacker gained access through the vulnerable Revolution Slider as shown in the clip above, they would have been able to view the email credentials used in the plugins. If these email accounts were not just restricted to receiving and sending emails online, the attacker would have been able to access all email data from these accounts as well as send emails out originating from these accounts. This would have been the perfect opportunity to launch a spear-phishing attack.

The moral of the story?

Website security is important and if not taken seriously can lead to an embarrassing situation for your company. It can ruin your reputation and also your clients’ faith in your ability to protect their interests. It can lead to law suits and fines. If you are running a WordPress website it is critically important that you update your plugins, themes and core files. You should also monitor updates for security fixes and give those the highest priority as major vulnerabilities are exploited immediately by hackers. If you are not comfortable looking after your WordPress website yourself, get a professional to do it for you. A few pounds spent a month could save your business. We’re not joking when we say failure in website security can literally bring down governments!