The Plone security team has debunked claims made by a hacker, who said he used a zero-day in the Plone CMS to hack into the FBI's website, which uses the aforementioned CMS.
Plone developers felt they needed to publish a blog post in which they contested the hacker's claims after several news outlets have covered the alleged hack.
Named CyberZeist, the hacker has been tweeting left and right since Christmas, claiming to have breached the FBI's Plone CMS, used to manage its public website.
In two PasteBin's published online [1, 2], the hacker said he breached the FBI in support of the Anonymous movement, dumped the CMS login credentials of over 250 FBI accounts, and provided technical details about his attacks.
Further, the hacker also posted several screenshots on Twitter in the past few weeks, which showed him accessing restricted parts of the FBI CMS.
Plone, which is a website content management system (CMS) written in Python, has a reputation of not having a zero-day in all of its 15 years of existence.
Because of this and many other security features, the CMS has been deployed with many government websites. Seeing its name tarnished by CyberZeist, the Plone security team investigated the hacker's claims, in order to determine if he's in possession of a real zero-day and start preparing a fix for this vulnerability.
After analyzing the evidence provided in the two PasteBins and the hacker's screenshots, the Plone team felt very strongly that this was nothing more than a "hoax" put together to trick other hackers into buying the alleged zero-day, which was also up for sale on the Dark Web for around $9,000.
In support of its conclusion, the Plone team put forwards a series of arguments that are hard to argue against.
First and foremost, the Plone team took aim at the fact that multiple screenshots showed the FBI website spewing out source code in the hacker's browser.
Second, the Plone team disputed one of the hacker's screenshots that showed the content of the "acl_users" directory.
Third, the Plone team takes aim at the hacker's leaked data, calling it outright "fake."
Plone developers also took a jab at CyberZeist's claim to have stolen backup files from the FBI servers. The hacker says he downloaded several files named "acc_102016.bck, acc_112016.bck, old_acc16.bck," and so on.
Additionally, the Plone team takes issue with the hacker's technical details regarding the server he just hacked, and they offer a response that makes sense in hindsight.
Again, Plone developers take a jab at CyberZeist's lack of knowledge about the differences between basic PHP web apps and Plone. Their issue is the fact that Plone will not list the content of folders, like a classic PHP app.
Last but not least, the Plone team takes a last shot at the hacker's technical skills, by possibly unmasking his location based on timezone settings.
During the past few weeks, CyberZeist also made claims that the websites of Amnesty International and the EU Agency for Network Information and Security along with Intellectual Property Rights Coordination Center are vulnerable to the same exploit. Based on the Plone team's findings, this is most likely not true.
It is worth mentioning that the same hacker, preaviously known as le4ky, has been caught in the past faking other security breaches. The same hacker also disappeared from public life and was not heard from for about four years, only recently returning online.