The Hacker News is reporting that a hacker calling himself “CyberZeist” claims to have gained unauthorized access to the FBI website. CyberZeist defaced the site and posted personal data of FBI officials to Pastebin, claiming that he used “a zero-day local file inclusion type vulnerability” using the python plugins of Plone CMS, which is the software that the FBI uses on the site. CyberZeist further claims that the FBI website is hosted on a virtual machine that runs an older version of FreeBSD.
Plone is an open source, enterprise level content management system that is used by many high-profile organizations. This morning Plone issued a security advisory stating that they will issue a security update on January 17. Plone also made this statement to The Register, claiming there was no compromise:
“The Plone Security Team believes that these claims are a hoax. As Plone is open source software, it is easy to fake a screenshot showing Plone’s code. Causing source code to be leaked to the end user is a common form of attack against PHP applications, but as Python applications don’t use the cgi-bin model of execution it has never been a marker of an attack against a Python site.
“The hashes [the ‘hacker'] claims to have released have several warning signs that point to them being fake. Firstly, the email addresses used match other FBI emails that have been harvested over the years that are publicly available. The password hashes and salts he claims to have found are not consistent with values generated by Plone, indicating they were bulk generated elsewhere.”
While exploiting FBI.GOV, it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files (.bck extension) on that same folder where the site root was placed (Thank you Webmaster!), but still I didn't leak out the whole contents of the backup files, instead I tweeted out my findings and thought to wait for FBI's response
The FBI has not commented so far.
Whether this is a hoax or a genuine compromise, it's a reminder that public facing surfaces are going to be targeted by hackers like CyberZeist. In the case of the FBI hack here we've mentioned four vulnerable layers of technologies:
• The website code itself, Plone CMS
• Plone CMS plugins, which are all their own applications with their own distinct code
• The Virtual Machine software
• The customized FreeBSD operating system
In order to build a robust website, you have to have multiple public-facing components at work. This increases the exposure and forces developers and system administrators to take a deeper look at their security. The best approach to all of this is to deploy security in multiple layers. Secure code, web application firewalls, and other best practices will help minimize the damage, even if the report of the hack is a hoax.
While there doesn't seem to be any unshakable evidence that Plone was compromised as CyberZeist claims, the fact that Plone responded with a security advisory does cast some doubt on the claim that the hack was a hoax. Does it really matter if this was a legitimate compromise? The hacker cast doubt on the security of the organization and the professionalism of the IT staff. Additionally, The Register reports that several other websites are also vulnerable to this exploit.
Even in the best case scenario, the affected organizations now have to spend some resources on damage control. This takes time and energy away from the primary business mission.
For more on this incident: