Softpedia >News >Security >Hacking News
Softpedia Homepage   

FBI’s CMS Hacked by CyberZeist, Credentials Leaked Online

Some other orgs suffering from the same vulnerability

Jan 5, 2017 10:29 GMT  ·  By
The hack of FBI's CMS system took place in late 2016
   The hack of FBI's CMS system took place in late 2016

FBI’s content management system has been hacked by CyberZeist, who also managed to get access to more than 150 logins, including email addresses and encrypted passwords.

CyberZeist said he breached the Plone CMS, also being used by the FBI, in late December using a zero-day that was discovered by somebody else, but explains that some other organizations are vulnerable to attacks as well, including the EU Agency for Network Information and Security along with Intellectual Property Rights Coordination Center.

After hacking the FBI.gov website, CyberZeist discovered what he describes as logins which, according to a database dump, seem to include email addresses and SHA1 encrypted passwords.

The hacker says that the site was hosted on a VM and this blocked him from getting root access, but he anyway managed to retrieve some server information, including software info and the most recent reboot. The FBI was running FreeBSD version 6.2_RELEASE launched in 2007 with custom configurations, he explained.

“While exploiting FBI.GOV, it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files (.bck extension) on that same folder where the site root was placed (Thank you Webmaster!), but still I didn't leak out the whole contents of the backup files, instead I tweeted out my findings and thought to wait for FBI's response,” CyberZeist said.

Supporting the Anonymous movement

Additionally, the hacker says that the zero-day he used to compromise the CMS website is already being sold on TOR, so he won’t share more details until the exploit is no longer available for purchase.

The attack is “devoted to the Anonymous movement,” and CyberZeist says that he was already contacted by various sources to sell the zero-day, but he declined.

Amnesty International, one of the organizations using the same CMS software has already acknowledged the vulnerability. The FBI hasn’t yet posted any comments on this hack, so we’re still waiting for more information from the agency as well.

In the meantime, CyberZeist said the FBI was working on patching the vulnerability on New Year’s Eve, so it’s believed that the CMS is secure now and the zero-day no longer exposes the logins.