Hacker Leaks Data After Claiming to Hack the FBI – Calls the Agency “Lazy”
For the second time, a hacker has claimed to have successfully breached FBI’s websites, leaking personal account information on a public site.
On December 22, 2016, a hacker using the handle CyberZeist, also known as Le4ky, exploited a zero-day vulnerability in the Plone Content Management System (CMS) of the FBI’s website. The zero-day flaw was allegedly available for sale on an unnamed dark web site, sold by a hacker that goes by the moniker ‘lo4fer.” The hacker then proceeded to leak some of the email addresses and SHA1 encrypted hashes with salts to Pastebin – an open source site often used by hackers to share stolen information or code.
CyberZeist then tweeted about his hack, saying that the FBI was patching up the vulnerability.
— CyberZeist (@cyberzeist2) December 31, 2016
CyberZeist said that the FBI’s webmaster had “a very lazy attitude as he/she had kept the backup files (.bck extension) on the same folder where the site root was placed (Thank you Webmaster!).” The latest hack revealed personal data of 155 agents in the FBI, including their names, passwords, and email accounts.
This is not the first time CyberZeist has claimed to hack the FBI. Back in 2011, he was credited with hacking the FBI as a member of Anonymous, a hacking group. In the Pastebin leak, the hacker said the attack was “totally devoted to the Anonymous Movement.” CyberZeist also warned that other agencies, including the EU Agency for Network & Information Security, Intellectual Property Rights Coordination Center, and Amnesty International, are also vulnerable to a similar attack.
FBI hack could possibly be a hoax…
While FBI hasn’t commented on the issue, Plone’s security team has called the leak a “hoax.” Plone CMS is considered as one of the most secure CMSes available, used by several agencies, including the FBI and the CIA. Here’s what Plone had to say about the alleged attack.
Some users on Twitter are circulating rumours about about a zero day vulnerability in Plone being used to attack the FBI.
The Plone Security Team believes that these claims are a hoax. As Plone is open source software, it is easy to fake a screenshot showing Plone’s code. Causing source code to be leaked to the end user is a common form of attack against PHP applications, but as Python applications don’t use the cgi-bin model of execution it has never been a marker of an attack against a Python site.
The hashes [the ‘hacker’] claims to have released have several warning signs that point to them being fake. Firstly, the email addresses used match other FBI emails that have been harvested over the years that are publicly available. The password hashes and salts he claims to have found are not consistent with values generated by Plone, indicating they were bulk generated elsewhere.