Mossak Fonseca Case (Panama Papers) and Drupal, Hacked? What could have happened?

June 18, 2021

Disclaimer:This post is made based on assumptions and other comments made in online forums threads and none of this should be considered as true, but we want to show the importance of the points mentioned below.

To enter context, if you do not know which is the case of Mossak Fonseca, read the following link (Spanish): http://www.prensa.com/judiciales/Claves-entender-caso-Mossack-Fonseca_0_4404309643.html

In summary, the Case Mossack Fonseca, aka "Panama Papers" is the biggest data breach in history and includes more than 4.8 million emails in addition to other documents.

It is believed that Mossack Fonseca mails were obtained through a Wordpress site and gained access to documents through a Drupal portal. Reference here.

In this post we'll talk about what could have happened with Drupal. As mentioned by a client of the firm in their portal: https://portal.mossfon.com/.

And here is the description:

"The Mossfon Client Information Portal is a secure online account that enables to access your corporate information anywhere and everywhere, with real time updates of your ongoing request."

image

The Drupal version that the site was running at the time they allegedly were attacked was Drupal 7.23. at that time it had already been reported 23 vulnerabilities and right now currently stands at 31:

https://www.cvedetails.com/version/156577/Drupal-Drupal-7.23.html

This is just the core of Drupal, not counting vulnerabilities that could be in the contributed modules.

It was very easy to see that Drupal was in that version because it was possible to access the site changelog on the link:

https://portal.mossfon.com/CHANGELOG.txt

Which is now returning Forbidden, but here is a screenshot:

image

Source: https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/

But apparently they only blocked this file and other files that revealed information such as INSTALL.txt:

https://portal.mossfon.com/INSTALL.txt

These are basic files that come in all Drupal installation and should be protected or removed. For this reason it is very possible that Drupal has been one of the points of entry of this major breach.

I have Drupal or another platform in my organization, What can I do?

Programmers are not perfect and it is expected that a published software may have security flaws are at some point. This occurs in all types of software; operating systems, web platforms (Remember the celebrity icloud breach?), mobile, desktop apps, etc.

Specifically Drupal, is a platform that behind has a community that takes safety seriously enough and has a team dedicated to safety, Drupal Security Team which programmers supports and resolve security issues related to Drupal.

Recently on the Drupal.org site included a new feature that displays a shield icon in the contributed modules, this means that that version of the module was inspected by the Drupal security team. We can see an example on page panels project:

https://www.drupal.org/project/panels

At this time the Drupal version 7 has "coverage" of the Drupal Security Team:

image

What could Mossack Fonseca have done to improve the security of your site made in Drupal:

  • Keep the Drupal core and contributed modules updated: We do not necessarily need to have all modules in its latest version, but if the new version brings new security updates if it is paramount install your upgrade, the same applies to the Drupal Core, not doing so gives the hacker an easy way to penetrate our website
  • Avoid leaving file in public view that reveal specific information about our platform as the core version running.: In the MF case, the changelog.txt and often the response headers application platform reveal much information on which the site runs.
  • Login by HTTPS: If the site has a basic user login, it should be HTTPS required as to handle an encrypted connection.

These are just some basic configurations, but there are a number of other things that can be done to keep your site secure. If you have questions or need information about the security of your site please contact us. [contact us]http://rootstack.com/es/contact).

Sources: