The premier investigative agency of United States of America, Federal Bureau of Investigations (FBI) had its website content management system hacked. A hacker with Twitter handle of CyberZeist claimed that he had managed to breach into Plone CMS used by FBI for its website. CyberZeist also leaked around 150 logins, including email addresses and encrypted passwords online. CyberZeist said he breached the Plone CMS, also being used by the FBI, in late December using a zero-day that was discovered by somebody else. CyberZeist stated that the zero-day can be used against several other organizations including the EU Agency for Network Information and Security along with Intellectual Property Rights Coordination Center. CyberZeist exploited the flaw on 22nd December. The hacker exploited a zero-day vulnerability in the Plone CMS, an Open Source Content Management software used by FBI to host its website, and leaked personal data of 155 FBI officials to Pastebin, including their names, passwords, and email accounts. CyberZeist tweeted multiple screenshots as proof of his claims, showing his unauthorized access to server and database files using a zero-day local file inclusion type vulnerability affecting its python plugins. The hacker says that the site was hosted on a VM and this blocked him from getting root access, but he anyway managed to retrieve some server information, including software info and the most recent reboot. The FBI was running FreeBSD version 6.2_RELEASE launched in 2007 with custom configurations, he explained.
— CyberZeist (@cyberzeist2) December 22, 2016 CyberZeist also said that the FBI CMS vulnerability is being sold on the underground forums on Dark Web. “While exploiting FBI.GOV, it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files (.bck extension) on that same folder where the site root was placed (Thank you Webmaster!), but still I didn’t leak out the whole contents of the backup files, instead I tweeted out my findings and thought to wait for FBI’s response,” CyberZeist said.
— CyberZeist (@cyberzeist2) December 22, 2016 Additionally, the hacker says that the zero-day he used to compromise the CMS website is already being sold on Tor, so he won’t share more details until the exploit is no longer available for purchase. The attack is “devoted to the Anonymous movement,” and CyberZeist says that he was already contacted by various sources to sell the zero-day, but he declined.