The Legitimacy of the Latest FBI Hack is Still Being Questioned

A hacker known as CyberZeist, for the second time, hacked the Federal Bureau of Investigation and uploaded account information to Pastebin, according to RT. CyberZeist (CZ), in 2011, breached the FBI’s security with a phishing scam. Internet users attributed the hack to Anonymous—and Anonymous claimed credit for it. Like the 2011 occurrence, Anonymous received lots of attention, thanks to the New Year’s Day paste by CZ. The leak was “totally devoted to the Anonymous Movement.”

The second paste, published January 5, 2017, clarified CZ’s “justifications for all those [the media’s] questions.” (Backup Copy Here) According to his message on Pastebin, news outlets started questioning the reasoning behind the FBI leak—specifically why the attack’s primary goal was to undermine or degrade “the image of the organization behind Plone CMS.” The tweets associated with the current CyberZeist account, @cyberzeist2, potentially led to confusion about the Plone Content Management System.

Many companies use the CMS platform for the security it provides. Google, the CIA, and the FBI are among some of the partners, RT said. CZ mentioned this in the paste, and in part, justified the hack on the FBI’s weaknesses instead of any potential vulnerabilities in the Plone CMS. Similarly, instead of pointing to errors in the Plone CMS itself, he attacked (and verbally berated on Twitter) the companies running said platform.

He posted the following picture with this caption: “CC: @Amnesty_Schweiz restrict public access to “acl_users” directory (https://www.amnesty.ch/acl_users/), your copy of Plone CMS is vulnerable too!”

He warned that including the EU Agency for Network Information Security, Intellectual Property Rights Coordination Center, and Amnesty International faced the same vulnerabilities. However, in his first paste, he included only a list one 155 accounts. Alleged accounts. He released [Firstname][Lastname]@ic.fbi.gov. Additionally, the SHA1 hash of each password and subsequent salt.

“[email protected] – a374090d426651ef8a8338775378406eaf8bb294, bl3XNyDs62

[email protected] – 49ea1d8fc96f105e62f79f84c86f3189e385b960, 5wWCUipzt@

[email protected] – 3f0291d3a60edb29cd6f168369fd8ae9581f65cd, ArSmrfIY8h

[email protected] – 971636691d06c3e641150ddd661db9a8517d0827, 69CwW$wePL

[email protected] – f0964c1bffaf353920e89b2da2799ce509b7cc42, inpG1NRSC

[email protected] – 129dad5ea12de65aafe750b92d7dfc494edadb62, @K0%lqNrAg

[email protected] – abc5d98fa429263c380491d19174f2e767c0e8fd, tZcIwAgvvO

[email protected] – 63236eedddbb3b803714c629323b2f2bf5fc25df, @Q590WwTK8

[email protected] – f4c6f59d534b67d338c18e4992f68e7b62594d0c, 8SDZ%kQZO6”

Some of the accounts appear to be the same as those listed in the 2011 FBI attack—some do seem to be new. For instance, one account in the 2011 dump: [email protected] – MThadtgo5a91$a%. And in the New Year’s Day Pastebin dump, the same account exists, only hashed and salted: [email protected] – 7d47638011e6a12e343123e9f9740d70cbd459a8, 6TFKCzkJ1k. The same goes for accounts such as [email protected] – fhGiASy1%ka12 from the 2011 list. Our 2017 list has the same email, minus the password: [email protected] – 8a7cc1f9bf3e03cd59012e854f6d8d4e32af655b, Z4nY9CSzRK

The internet disputed the legitimacy of the hack. Even places where CZ would seemingly fit in, people called the leak a hoax. And not only sites like HackForums agreed, the internet, in general, proved very skeptical. One of the largest red flags for individuals was the lack of response from the FBI. No official government entity made any mention of the post. Plone CMS, however, made several announcements. The first and most efficient announcement simply declared that no such 0day for their software existed. Some concern spread after Plone issued an announcement regarding a vulnerability in the CMS. However, as their blog post described, the vulnerability and CyberZeist’s hacks shared no similarities.

“The aim of releasing information from such a hack is to convince people that you have indeed hacked the target. Claims of hacks that only give information that is publicly available (such as open-source code) or impossible to verify (such as hashed passwords) are common signs of a hoax” – Matthew Wilkes, the Plone security team

CZ is not an unknown name in the hacking sector. The 2011 paste of FBI passwords existed (backup). He posted a list of email accounts from Lithuanian Government members. They made no acknowledgment of the hack, however and, a list of accounts, email or otherwise, came from the Washington Military Department. Plone CMS spared no words regarding CZ’s credibility.

Here, the group listed the reasons why CZ’s hack never happened. Additionally, they explained how he could not complete a hack via the methods he described in the pastes and on Twitter.

He claims that the server is running FreeBSD ver 6.2-RELEASE. It is extremely unlikely that the FBI would run such an old version of FreeBSD. Moreover, FreeBSD 6.2 provides Python 2.4, with the option of using Python 2.5. Plone does not run on such old versions of Python.

Plone has a backup system to backup the database and these backups do not use a “.bck” extension and are always written into a var directory, not the Plone installation root or any web server root directory. It would be hard to change this behavior, and there would be no benefit in doing so.

One screenshot shows information about an email, claiming it is part of the FBI’s mail logs. It shows an automatically generated email about a hard drive error. This appears to be his own server’s logs, as although he has modified the name of the server in the log to be an FBI one, he has neglected to change the timezone reported in the emails from Indian Standard Time to Eastern Standard Time.

He references filename enumeration. However, Plone does not expose directories through the web like a traditional PHP site does; Plone URLs map either to registered view code or content in the database. (Plone’s Outstanding Security Track Record 1/07/2017)

CZ said the FBI ran version FreeBSD 6.2 from January 2007. Very outdated compared to the most recent release in 2016. He took a shot at the webmaster as well, saying she had “a very lazy attitude as he/she had kept the backup files (.bck extension) in the same folder where the site root was placed (Thank you, Webmaster!)”

The hacker said the vendor of the Plone 0day needed someone to test the 0day on sites that used the CMS. And, likewise, mentioned that the 0day is active—for sale—somewhere online.

“I was contacted by a 0day vendor with handle “lo4fer” over Tor network who asked me to test out the 0day on active websites using Plone and its DERIVATIVES. The FBI hack was done to test out the vulnerability. So I cannot disclose the 0day vector myself unless this exploit is not being actively sold or is rendered obsolete.”

He additionally asked for votes on which target he would attack next. After 800 votes, he announced the next victim: the banking sector. The validity of the latest dump is still unknown. Plone CMS said one thing. CZ said another. And the US government said nothing whatsoever.

The conclusion of his paste mentioned Anonymous and how grateful he was to receive support from his “Anonymous Family.”

Lastly, I want to add that I could have released this leak only under my name and not under the name of ANONYMOUS. This was done to revive the lost image of Anonymous which has gone silent since last few years. And I am grateful that I received a good amount of support from the Anonymous Family as the mainstream media declined even to publish the hacks in first place.