At the end of December 2016, the well-known hacker CyberZeist hacked FBI website (fbi.gov) again. It’s the second successful hacker’s attempt to breach and publish FBI’s information to the public. CyberZeist is devoted to the infamous hacker collective Anonymous, and together they hacked FBI’s website in 2011. This time 155 officials’ names, emails, SHA1 Encrypted Passwords, and SHA1 salt has been leaked and published on Pastebin – an open source website which is widely used by hackers.
CyberZeist posted on Twitter about the 0-day vulnerability in Plone Content Management System (CMS) on the 22nd of December 2016. However, the hacker is not the one who discovered this flaw; he was only asked to test it against FBI and Amnesty websites. CyberZeist found out that FBI uses an old version of open source operating system – they were still using the version that was released in January 2007. Meanwhile, the latest version was released in October 2016. In the Pastebin leak, he also accused FBI’s webmaster of having a lazy attitude because backup files (.bck extension) had been kept in the same folder with the site root. CyberZeist promised to post more about the Plone CMS zero-day attack as soon as the exploit will no longer being sold on the Tor network.
Plone CMS platform is supposed to be one of the most secure platforms nowadays. Many well-known companies such as Google, CIA, Property Rights Coordination Center, EU Agency for Network Information and Security, Google, CIA and other United States and European Union organization use it too. Hence, they might be exposed due to this vulnerability as well. The Plone Security team claims to release a security update on 17th of January. However, FBI hasn’t released an official statement about this issue yet.
In the Pastebin leak, CyberZeist sounds a little bit disappointed that United States news agencies do not inform about FBI hack. Meanwhile, news outlets in Germany and Russia are talking about this issue quite actively. The hacker speculates that US news outlets might be afraid to speak of this data breach.