The Plone community claims the FBI hack is a fake, it’s a mystery

CyberZeist claims that he hacked the FBI’s website exploiting a zero-day flaw in Plone, but the Plone security team declared the FBI hack is a hoax.

Security Affairs was probably the first blog to spread the news of the alleged FBI hack. I was contacted by the notorious hacker CyberZeist, he is very popular in the hacking community due to his past hacks.

CyberZeist (@cyberzeist2) announced has broken into the FBI website FBI.gov  and leaked data on Pastebin.

The hacker leaked 150 FBI.GOV accounts that he found in several backup files (acc_102016.bck, acc_112016.bck, old_acc16.bck, etc).
Leaked records contain accounts data, including names, SHA1 Encrypted Passwords, SHA1 salts, and emails.

According to the hacker the intrusion occurred on December 22, 2016, he revealed to have exploited a zero-day vulnerability in the Plone Content Management System

“Going back to 22nd December 2016, I tweeted about a 0day vulnerability in Plone CMS which is considered as the most secure CMS till date. “

CyberZeist explained that he did not find the zero-day in CMS he exploited, he was just tasked to test it against the websites of the  FBI and Amnesty. Other websites are potentially exposed to the same zero-day attack, including Intellectual Property Rights Coordination Center and EU Agency for Network Information and Security.

Plone is considered a highly secure CMS which is used by many organizations worldwide, CyberZeist explained that vulnerability he has exploited resides in some python modules of the CMS.

The developers at the Plone project have analyzed the information shared by CyberZeist and determined that it’s likely “hoax.”

“Some users on Twitter are circulating rumours about a zero day vulnerability in Plone being used to attack the FBI. The Plone Security Team believes that these claims are a hoax. As Plone is open source software, it is easy to fake a screenshot showing Plone’s code. Causing source code to be leaked to the end user is a common form of attack against PHP applications, but as Python applications don’t use the cgi-bin model of execution it has never been a marker of an attack against a Python site.” states the post published by Plone.

“The only hint he has given to the problem is a tweet saying that access to the “acl_users” directory should be restricted. These pages are used by Plone to prompt the user to log in when they try to access the site administration without authorisation. There is no “acl_users” directory on the machine; this is just part of Plone’s authentication framework.” 

The screenshots have been faked according to the Plone team, while the leaked email addresses were already present in older leaks.

With the help of a friend I noticed that the emails contained in the original announcement of the FBI hack from Zeist (http://pastebin.com/5vwz6Wj4) were also present in an old Pastebin document published in 2015 http://pastebin.com/Exf7NU9M

The password hashes and salts are not consistent with ones generated by Plone.

The hacker explained that he found data in several backup files acc_102016.bck, acc_112016.bck, old_acc16.bck, etc but this extension is not used by the Plone backup system.

“It is extremely easy to fake a hack like this. It takes only rudimentary Photoshop skills or use of the Chrome JavaScript developer console,” said Nathan Van Gheem of the Plone security team.

“I can say for sure that at least some of the data posted as proof is 100% fake. The hoax was a bit elaborate indeed, but that’s it.” – Alexandru Ghica, Eau de Web, maintainer of EU websites that were claimed to be vulnerable.

Why a fake FBI hack?

Some security experts and Plone developers believe that CyberZeist is also the seller of a so-called zero-day exploit that is available online for 8 bitcoins ($9,000). They believe it is a scam.

“We don’t believe the FBI is his target; it is more likely that he is using this high profile site as a way of advertising fake exploits for sale,” Plone representatives said. “There is no reason to believe that his claims are genuine and we remind all website administrators to be wary of social media users claiming to have bugs for sale.”

On the other said CyberZeist published another PasteBin

“Many news outlets are asking me questions like my primary goal was to degrade the image of the organization behind Plone CMS development as it is considered as the most secured CMS till date with no vulnerability at all. This question is totally irrelevant as I have been in hacking scene since 2011 working under “Anonymous” umbrella and I hack the targets purely out of my own motivation.” explained the hacker. “So, I am not influenced by any organization that wants to degrade the Image of Plone Organization.I just leaked out the details that I received after using the attack vector. I am not aware of any technical details of how Plone works internally. So please, do not ask me the technical details related to the inner workings of this CMS, you can test and see for yourself once I release the 0day vector. “

CyberZeist explained that he cannot disclose the Plone zero-day exploit in this moment, he will do it when it will be obsolete because.

“So I cannot disclose the 0day vector myself unless this exploit is not being actively sold or is rendered obsolete. Thus I will release the 0day myself via twitter and few selected security news portals once this 0day is not on sale or is rendered obsolete. So please wait for few days, once this 0day is obsolete, I will release the 0day as a proof of validity. I cannot break the negotiation code and release the 0day myself at this point as the vendor shared the 0day in exchange of my real identity as a token while handing the 0day vector to me.”

At same time the Plone Security team has released a security advisory announcing it will release a security update on 17th January to its customers to “patch various vulnerabilities.”

All supported Plone versions (4.x, 5.x) and previous versions could be affected.

“The advisory information we give in those pre-announcements is standard. In fact, the upcoming patch is to fix a minor issue with Zope which is neither a RCE or LFI inclusion problem.”

The Plone Security team also added that “there is no evidence that the issues fixed here are being actively exploited,” included the alleged FBI hack.

“The issue we are fixing in no way resembles CyberZeist’s claims, neither do the issues we fixed last month.” Matthew Wilkes, Plone security team, told The Hacker News.

“The aim of releasing information from such a hack is to convince people that you’ve indeed hacked the target. Claims of hacks that only give information that is publicly available (such as open-source code) or impossible to verify (such as hashed passwords) are common signs of a hoax,” Matthew said.

At this point we have to wait that one of these events will occur:

• The FBI will provide an official statement
• The hacker will release the code of the zero-day exploit demonstrating the FBI hack it not a fake.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – cybercrime, FBI hack)