A hacker going by the online handle of “CyberZeist” has claimed to have hacked the content management system (CMS) of the official website of Federal Bureau of Investigation (FBI), the mainstream investigation agency of the United States.
The hacker claims he compromised the Plone CMS system used by the bureau to obtain login credentials of FBI officers. The hacker has openly dedicated the hack attack to “the Anonymous Movement,” and says that numerous sources have contacted him so far for buying the vulnerability that led to the exploit but he has declined it so far.
Through the hack, CyberZeist claims to steal login information of around 155 officials. The information includes encrypted passwords and email addresses along with the usernames which are now available for Pastebin.
According to information posted by the hacker on Twitter, he managed to hack the Plone CMS of FBI’s website on 22nd December 2016, through exploiting a zero-day vulnerability, which was already identified by someone else. This zero-day is already on sale on the underground forums on the Dark Web via Tor, says CyberZeist.
The hacker stated that, “While exploiting FBI.GOV, it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files (.bck extension) on that same folder where the site root was placed (Thank you Webmaster!), but still I didn’t leak out the whole contents of the backup files, instead I tweeted out my findings and thought to wait for FBI’s response.”
CyberZeist also noted that this vulnerability is also pretty useful for some other organizations such as the Intellectual Property Rights Coordination Center and the EU Agency for Network Information. It is worth nothing that Plone CMS is Open Source software that facilitates Content Management. The FBI uses this software for hosting its official website.
To prove that he actually hacked into the CMS of FBI’s website and leaked the data online, CyberZeist posted various screenshots on Twitter. In the screenshots, everything from gaining unauthorized access to the server to the hacking of the database was shown. CyberZeist used zero-day vulnerability, which was a local file inclusion type flaw that affected the python plugins.
According to the hacker, the FBI opted for a VM to host the site and this prevented him from gaining root privileges, but, he did manage to get some information about the server including information about software and when was the last time that the site underwent a reboot. He further explained that the FBI used a FreeBSD version 6.2_RELEASE with custom configurations, which was launched in 2007.
However, in a blog post, Plone has denied the breach and called it a “hoax”. The firm also stated that its security team is aware of a recent claim and has thoroughly examined it and determining that it is a hoax since there is no zero-day flaw in Plone nor in Plone-based distributions.
“The aim of releasing information from such a hack is to convince people that you’ve indeed hacked the target. Claims of hacks that only give information that is publicly available (such as open-source code) or impossible to verify (such as hashed passwords) are common signs of a hoax” – Matthew Wilkes, Plone security team
We have contacted data breach notification and data mining company Hacked-DB for verifying the authentication of this data. Stay tuned.