A hacker using the moniker CyberZeist claims to have broken into the FBI's website and leaked data onto a Pastebin account, though the agency denies the claim.
The hacker said the data leaks include several backup files of records containing account data, such as names, SHA1 encrypted passwords, SHA1 salts and emails. The intrusion reportedly occurred on Dec. 22, 2016 and was made possible by a zero-day vulnerability in the Plone Content Management System.
CyberZeist said in the Pastebin post that the vulnerability is in the CMS's various Python modules and that they were assigned to test out the zero-day on the FBI and Amnesty website since the zero-day's vendor was afraid to exploit the vulnerability themselves.
“While exploiting FBI.gov, it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files (.bck extension) on that same folder where the site root was placed (Thank you Webmaster!), but still I didn't leak out the whole contents of the backup files, instead I tweeted out my findings and thought I'd wait for the FBI's response,” CyberZeist said in the Pastebin post.
The hacker went on to say that they won't publish the zero-day exploit themselves as it is currently being sold on the dark web. CyberZeist also claimed that other websites were vulnerable, including the EU Agency for Network Information and Security and the Intellectual Property Rights Coordination Center.
“There is no evidence that there was a targeted attack or compromise against FBI.gov,” an FBI spokesperson told SC Media. However, some security pros expressed doubt.
“If claims, supported by screenshots, of publicly accessible backups, missing chroot, absence of access and privilege segregation, are true – the FBI should entirely revise their approach to web application security," Ilia Kolochenko, CEO at High-Tech Bridge, told SC Media."It's very regrettable to see such a negligent approach to web application security from such an agency as the FBI,” Kolochenko said. “They put at risk not only their main website and the interconnected infrastructure, but provide cybercriminals from all over the world with a universal bridgehead to attack global companies and governments by placing malware on the FBI's website.
He added that many exploitation vectors of common web application vulnerabilities, including unpatched zero days, can be efficiently mitigated by proper web server hardening and a WAF.