Drupalgeddon strikes back: outdated Drupal allegedly linked to "Panama Papers"

Mossack Fonseca Drupalgeddon

Drupalgeddon vulnerability, also known as SA-CORE-2014-005 affected millions of websites back in 2014 and we believe it started a new era for the Drupal community. It became apparent that if you don't want to put your website or business to a huge risk it's not enough to check for its status once a month, or even once a day - you should be continuously and tirelessly be scanning all available sources of information for potential security vulnerabilities in your code, being prepared to take immediate action.

Otherwise, it's a matter of several hours until your website will be so badly and irreversibly compromised that the only way to recover will be to restore it from the backup, rebuild it from scratch, and even swap your server infrastructure completely, as the attackers could gain access to the file system or the database, this way owning all of it.

Lessons learned - since 2014 the community and business owners became more responsible and aware of the potential security issues imposed by the usage of the Open Source framework. The Drupal Security team is working all days long to scan the core and contribs for possible problems to inform us as soon as they're resolved.

Even more - we've built Drop Guard to address this particular issue (and many related ones), at the same time helping to automate a huge part of the routine work of monitoring and applying security updates.

The Drupalgeddon thing was almost forgotten by now, but surprisingly, on April 5, it emerged from the ashes, following the article on the journey of the so-called "Panama Papers" published by Forbes.

Terabytes of data were leaked from the Panamanian company Mossack Fonseca, exposing information on the offshore assets of the world's political, business leaders and other influential figures.

The impact of the leak is difficult to evaluate, but what's really fascinating is how journalists and technicians gained access to such a massive amount of private data.

We don't know all the details yet, and will probably never know, but some things are clear. There was an email server hack at some point. It was also discovered that Mossack Fonseca website is running on an outdated version of Wordpress - three months old exactly. We doubt it can be the main cause of the leak as there were no highly critical vulnerabilities in Wordpress recently, and this CMS is known for being able to auto-update itself.

What is really intriguing, is that the Mossack Fonseca customer portal, hosted on the separate domain, used the version 7.23 of Drupal, while the patch which fixed the issue came with 7.32.

At the time of writing the CHANGELOG.txt is perfectly accessible at https://portal.mossfon.com/CHANGELOG.txt. In case it's deleted or the server is not available, see the screenshot below.

Mossack Fonseca Drupalgeddon

Just imagine - they've helped to hide billions of dollars, they operate 40 offices around the world and still struggled to spend another half an hour on updating their client portal. What an ironic situation for the company which principal purpose and business are to protect the information of its clients!

The vulnerability was there for two and half years, and it was just a matter of time until someone smart enough finds the way of exploiting it, for better or for worse.

It is not confirmed if the SA-CORE-2014-005 was exactly the cause of the leak, but it's easy to imagine hundreds of thousands of abandoned websites still running somewhere in the wild using the outdated software. And who knows what kind of information do they hide.

If you want to learn more about the vulnerable infrastructure and the codebase of their Customer Portal, check this article.

For those who are following up on this, there is a good write-up on the Wordpress plugin "Revolution slider", which can also be the cause of the data leak. 

Is it Open Source or Drupal to blame? Definitely not. When we make a choice to invest in the Open Source solutions, alongside with all the goodness - community, licensing terms, adoption rates, costs, and innovations - also comes great responsibility. There is no one to accuse in case something is going wrong; there is no "Microsoft" or "Apple" in the Open Source world. 

Free software comes at an enormous cost sometimes, and we hope that the Mossack Fonseca and "Panama Papers" case proves once again that without investing in continuous monitoring, updating, patching, penetration testing, performing numerous security reviews and ensuring your application is always in the healthy state, it makes no sense to consider Open Source solutions for your business in the first place.

But those who take this path should always remember - it's only up to us to make the Drupal and Open Source  ecosystem as secure and reliable as we want it to be.