My involvement with the Panama Papers came about from curiosity. Originally, I submitted a talk to a nuclear ICS security conference where I intended to show how OSINT techniques could expose a nuclear facility. Presentations should be fun and exciting, especially at a meeting of engineers. A day or two after it was accepted, Daesh started threatening European nuclear facilities. Instead of presenting a how-to which ISIS tw*ts could use, I switched the target to the law firm behind the Panama Papers fiasco, Mossack Fonseca. After the first news hit about the Panama Papers leaks, I decided to sniff around so to speak and had the research data ready. Initially, I intended on keeping my findings more private. However, in 2016, I wrote and leaked a detailed 40-page report to one of the Panama Papers journalists. Containing proof, with step-by-step instructions how to verify my results, create accounts and database access. Hope it helped.
This post is a summary of the findings.
Dorking
Dorking leverages search engine indexing, Google, DuckDuckGo, Bing, etc., scan and index web information. Dorking lets you search what they have already scanned. A passive reconnaissance technique. My first general sweep, looking for any text files MossFon.com was bl**dy amazing. An API for the Mossack Fonseca Client Portal, no security. Change logs, configurations of systems. Not just one page of results, two pages of Google results. I was in hacker heaven, OMG.
Figure 1 General Dorking for text files on MossFon.com search results
Apache version what?!
MossFon.com had an old, outdated web server which hadn’t been patched for years. This version, Apache 2.2.15 can be easily exploited. CVE Details, by MITRE, lists 47 vulnerabilities for the version exposed to the internet. Not to mention the two Metasploit exploitation modules available. There were additional issues, an Oracle database on an insecure, unencrypted port was also exposed to the internet. Databases are primary targets; they contain information, like the >2600 GB of information leaked out from the law firm. I teach both of these exploits in my GPEN/OSCP prep penetration testing courses, and YouTube is filled with how-to videos.
Figure 2 MossFon.com error condition exposing system information
Drupal version what?!
Drupal, an open source customer management system (CMS). Something a multi-national, influential, wealthy law firm dealing with some clients and transactions of known dubious nature should keep very secure. Back in October 2014, Drupal released a Highly Critical, security advisory. The most dangerous type on the vulnerability scale is critical; Drupal stated this was beyond that. Armageddon, complete control, remote, simple, with sites compromised via automated tools and backdoored.
Figure 3 Snippet of the Drupal Highly Critical public service announcement
The Drupal change log was tantalisingly exposed to the internet and showed this wealthy law firm never updated their Drupal or patched it to fix the dangerous condition. The law firm had the tenacity to have one of their IT staff arrested in a European country, trying to pin the blame on this person based partly on dereliction of duty. It took me ages to find his lawyer and send a copy of the report. Years ago, I worked as a network administrator, trying to secure a global engineering firm’s system along with daily operations. After a meeting with the CFO and other executives, his secretary pulled me aside to speak privately. She said, “Dave would prefer it if you didn't mention the word firewall again in meetings. He doesn't know what it means and makes him look bad.” Lack of information security starts from the top.
Figure 4 MossFon.com Drupal change log showing the installed version was below 7.32
Drupal uses various modules to provide features and basic functionality. One of these modules for the unpatched version Mossack Fonseca had installed was a scheduler and scheduler test. This module was not only exposed but allowed the setup of an administrative account 😊 From here, privilege escalation to full admin was possible.
Figure 5 MossFon.com Client Portal scheduler admin for testing
Shodan says buy a mouse trap for that Client Portal!
Mossack Fonseca used a client internet and API accessible portal. Here, a client could log in, see invoices, pay, buy and sell shares. Shares in some cases were significant ownership of shell companies. At the time I conducted my research, MossFon.com and the client portal was hosted on 192.230.92.15, an IP address geolocated in Dover, Delaware, USA. Using a different type of search engine which indexes system information called Shodan. The MossFon.com web server had a lot of ports and services open and exposed to the internet. A web server more closely resembling Swiss cheese. Thirty-seven internet facing ports and services were exposed.
Figure 6 Shodan scan result showing ports and services exposed to the internet on MossFon.com
Some of those ports are well known to be dodgy as h e double hockey sticks. Ports such as 6666, 444, 81. Shodan can report the exact name an application running on a port if the application advertises itself. Most do identify themselves, even Crimeware or remote access Trojans (RAT). Delving deeper into the suspect ports, I discovered a RAT infestation. At least eight RATs, but I needed to summarise for my presentation at the nuclear conference. For the slide, I added in relevant news stories related to the exact RATs running on the Mossack Fonseca client portal. Nice, juicy criminal and government grade. The Dutch were the only ones legally permitted to hack back or hack anything at the time, but RATs don’t seem their style. It made me wonder what governments installed the RATs? Good news, most of the RATs were unsecured which equalled double happy hacker smiles 😊 😊
Figure 7 Four of the RATs installed on MossFon.com with related news information
Is that an exploitable archive server containing >2600GB of data or is your web server just happy to see me?
A favourite tool of mine is Maltego, fantastic once loaded with custom modules and API connectors. However, instead of using a pimped out commercial version, I chose the free community edition which comes with Kali. Budget exploitation on MossFon.com, it seemed fitting. One of the transforms and settings yielded an exciting subdomain which contained lots and lots of documents and files completely unencrypted. Trying to download quickly using a Windows tool called FOCA, crashed FOCA. Heading to surgery the next day, I used a different method after I leaked the report and was out of hospital.
Figure 8 Maltego scan of MossFon.com’s Crypt server
Mossack Fonseca was so weak and provided such an abundance of information, and I turned into a book with some other targets, Trump, GOP, UKIP, DNC, Gert Wilders, the Dutch and German election board systems: Down the Rabbit Hole: An OSINT Journey. The original leaked technical report and an edited, more polished copy will be posted to Peerlyst shortly.