Leaked FBI data has been posted online after a well known hacker penetrated the Fed’s CMS system
The website of the Federal Bureau of Investigation (FBI) has been hacked again by an attacker known as CyberZeist, who then leaked personal account information to Pastebin.
The attack took place just before Christmas on 22 December, and CyberZeist is said to have exploited a zero-day vulnerability in the Plone Content Management System (CMS) of the FBI.gov website, according to his Twitter feed.
It should be noted that this is not the first time that the FBI website has been hacked. Early last year FBI agents travelled to Scotland to observe the arrest of a 15-year-old schoolboy in Glasgow over a hack of an FBI system.
Based on the data placed on Pastebin, the data CyberZeist found during his hack included accounts information, including names, SHA1 Encrypted Passwords, SHA1 salts, and emails, as well as 155 logins.
According to the Security Affairs website, CyberZeist apparently was “tasked” by a vendor to test the CMS system against both the FBI and Amnesty. The flaw with the Plone CMS system apparently resides in some python modules of the CMS.
Other websites are potentially exposed to the same zero-day attack, including Intellectual Property Rights Coordination Center and EU Agency for Network Information and Security.
CyberZeist tweeted an image of the hacked FBI website, before it was taken down.
Some security experts have lamented that the hacker was able to penetrate the systems of one of the world’s foremost law enforcement agencies.
“It’s very regrettable to see such a negligent approach to web application security from such an agency as the FBI,” said Ilia Kolochenko, CEO of web security firm High-Tech Bridge.
“They put at risk not only their main website and the interconnected infrastructure, but provide cybercriminals from all over the world with a universal bridgehead to attack global companies and governments by placing malware on the FBI’s website,” he said.
“Many exploitation vectors of common web application vulnerabilities, including unpatched 0days, can be efficiently mitigated by proper web server hardening and a WAF, but it looks like the FBI ignores these common best practices,” said Kolochenko.
“If claims, supported by screenshots, of publicly accessible backups, missing chroot, absence of access and privilege segregation, are true – the FBI should entirely revise their approach to web application security.”