For the second time, a hacker known as CyberZeist has breached the FBI’s website and leaked personal account information to a public site.
On December 22, 2016, CyberZeist, also known as Le4ky, exploited a zero-day vulnerability in the Plone Content Management System (CMS) of the FBI’s website, and leaked some of the information to Pastebin, an open source site that is often used by hackers to post stolen information and bits of code.
In the Pastebin leak, the hacker claims that the leak was “totally devoted to the Anonymous Movement.”
A zero-day fault is a vulnerability in the code that has not been detected, listed, or patched yet. Therefore, the FBI had zero days to respond to the attack. CyberZeist was able to find a vulnerability in the Plone CMS, which is considered to be the most secure CMS’ among security experts. It is used for many major websites like Google, the FBI and the CIA, and other major US agencies.
The latest hack revealed personal data on 155 agents in the FBI, including their names, passwords, and email accounts.
CyberZeist warned other agencies that are currently using the Plone CMS that they too are vulnerable to a similar attack, including the EU Agency for Network & Information Security, Intellectual Property Rights Coordination Center, and Amnesty International.
CyberZeist breached the FBI’s site and found they were running an old version of the open source operating system (OS) FreeBSD. While the most recent version, 11.0, was released in October 2016, the FBI is still using version 6.2, which was released in January 2007.
While exploiting the code, CyberZeist discovered that the FBI’s webmaster had “a very lazy attitude as he/she had kept the backup files (.bck extension) on the same folder where the site root was placed (Thank you Webmaster!)”
Authorities in the US have not yet responded to the CyberZeist hacks. CyberZeist claims that they did not discover the vulnerability in the CMS. “I was assigned to test out the 0day vulnerability on FBI and Amnesty website,” because, as they claim, the vendor was “too afraid to use it against the FBI website.”
The hacker confirmed that the zero-day exploit is offered for sale on the Tor network by a hacker that goes by the moniker “lo4fer.” “I obviously cannot publish the 0day attack vector myself as it is being actively sold over tor network for bitcoins,” CyberZeist says in the leak. “Once this 0day is no longer being sold, I will tweet out the Plone CMS 0day attack vector myself.”
In 2011, CyberZeist was also credited with hacking the FBI as a member of the hacking group known as Anonymous. At the time, he was able to breach the FBI’s security with a phishing scam that spoofed a login portal. This is very similar to the way that the recent Democratic National Committee emails were hacked.
In that hack, CyberZeist was able to steal over 250 email addresses and passwords.
For his next assignment, CyberZeist has set up a poll, asking his fans to vote for the next target he should hack. The options are between government services, banking corporations, military and defense services, and an “other” option, where you can tweet your preference to CyberZeist. The popular choice is banking institutions, with over 800 votes so far.