FBI logo

The Plone security team has debunked claims made by a hacker, who said he used a zero-day in the Plone CMS to hack into the FBI's website, which uses the aforementioned CMS.

Plone developers felt they needed to publish a blog post in which they contested the hacker's claims after several news outlets have covered the alleged hack.

Hacker CyberZeist claims to have hacked the FBI

Named CyberZeist, the hacker has been tweeting left and right since Christmas, claiming to have breached the FBI's Plone CMS, used to manage its public website.

In two PasteBin's published online [1, 2], the hacker said he breached the FBI in support of the Anonymous movement, dumped the CMS login credentials of over 250 FBI accounts, and provided technical details about his attacks.

Further, the hacker also posted several screenshots on Twitter in the past few weeks, which showed him accessing restricted parts of the FBI CMS.

Plone team dismisses zero-day claims, FBI hack story

Plone, which is a website content management system (CMS) written in Python, has a reputation of not having a zero-day in all of its 15 years of existence.

Because of this and many other security features, the CMS has been deployed with many government websites. Seeing its name tarnished by CyberZeist, the Plone security team investigated the hacker's claims, in order to determine if he's in possession of a real zero-day and start preparing a fix for this vulnerability.

After analyzing the evidence provided in the two PasteBins and the hacker's screenshots, the Plone team felt very strongly that this was nothing more than a "hoax" put together to trick other hackers into buying the alleged zero-day, which was also up for sale on the Dark Web for around $9,000.

In support of its conclusion, the Plone team put forwards a series of arguments that are hard to argue against.

First and foremost, the Plone team took aim at the fact that multiple screenshots showed the FBI website spewing out source code in the hacker's browser.

Causing source code to be leaked to the end user is a common form of attack against PHP applications, but as Python applications don’t use the cgi-bin model of execution it has never been a marker of an attack against a Python site.

Files in view

Second, the Plone team disputed one of the hacker's screenshots that showed the content of the "acl_users" directory.

There is no "acl_users" directory on the machine; this is just part of Plone’s authentication framework. These pages are used by Plone to prompt the user to log in when they try to access the site administration without authorisation.

acl_users claim

Third, the Plone team takes aim at the hacker's leaked data, calling it outright "fake."

Firstly, the email addresses used match other FBI emails that have been harvested over the years and are publicly available. The password hashes and salts he claims to have found are not consistent with values generated by Plone, indicating they were bulk generated elsewhere.

Dumped data

Plone developers also took a jab at CyberZeist's claim to have stolen backup files from the FBI servers. The hacker says he downloaded several files named "acc_102016.bck, acc_112016.bck, old_acc16.bck," and so on.

Plone has a backup system to backup the database and these backups do not use a ".bck" extension and are always written into a var directory, not the Plone installation root or any webserver root directory.

Additionally, the Plone team takes issue with the hacker's technical details regarding the server he just hacked, and they offer a response that makes sense in hindsight.

He claims that the server is running FreeBSD ver 6.2-RELEASE. It is extremely unlikely that the FBI would run such an old version of FreeBSD. Moreover, FreeBSD 6.2 provides Python 2.4, with the option of using Python 2.5. Plone does not run on such old versions of Python.

Again, Plone developers take a jab at CyberZeist's lack of knowledge about the differences between basic PHP web apps and Plone. Their issue is the fact that Plone will not list the content of folders, like a classic PHP app.

He references filename enumeration, however Plone does not expose directories through the web like a traditional PHP site does; Plone URLs map either to registered view code or content in the database.

Last but not least, the Plone team takes a last shot at the hacker's technical skills, by possibly unmasking his location based on timezone settings.

One screenshot shows information about an email, claiming it is part of the FBI’s mail logs. It shows an automatically generated email about a hard drive error. This appears to be his own server’s logs, as although he has modified the name of the server in the log to be an FBI one, he has neglected to change the timezone reported in the emails from Indian Standard Time to Eastern Standard Time.

Mail log

During the past few weeks, CyberZeist also made claims that the websites of Amnesty International and the EU Agency for Network Information and Security along with Intellectual Property Rights Coordination Center are vulnerable to the same exploit. Based on the Plone team's findings, this is most likely not true.

It is worth mentioning that the same hacker, preaviously known as le4ky, has been caught in the past faking other security breaches. The same hacker also disappeared from public life and was not heard from for about four years, only recently returning online.

"It is extremely easy to fake a hack like this. It takes only rudimentary Photoshop skills or use of the Chrome JavaScript developer console," said Nathan Van Gheem, one of the developers of the Plone security team.