The hacker leaked the FBI.GOV accounts that he found in several backup files (acc_102016.bck, acc_112016.bck, old_acc16.bck, etc).
Leaked records contain accounts data, including names, SHA1 Encrypted Passwords, SHA1 salts, and emails.
The intrusion occurred on December 22, 2016, the hacker revealed to have exploited a zero-day vulnerability in the Plone Content Management System
“Going back to 22nd December 2016, I tweeted about a 0day vulnerability in Plone CMS which is considered as the most secure CMS till date. This CMS is used by many top
agencies including FBI”
CyberZeist explained that he did not find the zero-day in CMS he exploited, he was just tasked to test it against the websites of the FBI and Amnesty. Other websites are potentially exposed to the same zero-day attack, including Intellectual Property Rights Coordination Center and EU Agency for Network Information and Security.
The vulnerability resides in some python modules of the CMS.
Other Vulnerable websites include EU Agency for Network Information and Security along with Intellectual Property Rights Coordination Center.
The hacker also Tweeted an image of the FBI website that was down just after the hack.
CyberZeist tested the 0-day because the vendor was too afraid to use it aginst the FBI website. The hacker noticed that while media from Germany and Russia published the news about the hack, but US based publishers ignored it.
According to CyberZeist, the FBI contacted him to pass on the leaks.
“I was contacted by various sources to pass on the leaks to them that I obtained after hacking FBI.GOV but I denied all of them. Why? just because I was waiting for FBI to
react on time. They didn’t directly react and I don’t know yet what are they up to, but at the time I was extracting my finds after hacking FBI.GOV,” he wrote.
The expert added further info on the attack, while experts at the FBI were working to fix the issue, he noticed that the Plone 0day exploit was still working against the CMS backend.
“I couldn’t gain a root access (obviously!), but I was able to recon that they were running FreeBSD ver 6.2-RELEASE that dates back to 2007 with their own custom configurations. Their last reboot time was 15th December 2016 at 6:32 PM in the evening.” he added.
It seems that administrators of the websites made some regrettable errors, for example teh exposed the backup files on the same server, it was a joke for the hacker to access them even if he decided don’t publish them immediatelly.
“While exploiting FBI.GOV, it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files (.bck extension) on that same folder
where the site root was placed (Thank you Webmaster!), but still I didn’t leak out the whole contents of the backup files, instead I tweeted out my findings and thought to
wait for FBI’s response”
Now let’s sit and wait for the FBI’s response.I obviously cannot publish the 0day attack vector myself as
The hacker confirmed that the 0-day is offered for sale on Tor by a hacker that goes by the moniker “lo4fer.” Once this 0day is no longer being sold, I will tweet out the Plone CMS 0day attack vector myself.
“Once this 0day is no longer being sold, I will tweet out the Plone CMS 0day attack vector myself.” CyberZeist added.
This isn’t the first time CyberZeist hacked the website of the Federal Bureau of Investigation, in 2011 when he was one of the members of the Anonymous collective he broke into the database of the law enforcement agency.
Let’s close with a curiosity … CyberZeist is asking you to chose the next target.
To remain in touch with CyberZeist visit his page on Pastebin
(Security Affairs – Federal Bureau of Investigation, hacking)