A hacker that goes by the nickname of Cipher0007 has hacked the Sanctuary Dark Web marketplace . The hacker announced the breach a few hours ago and also posted proof of his intrusion . According to Cipher0007 , the hack took place after he foundVulnerability-related.DiscoverVulnerabilityan SQL injection flaw in the market 's database . The hacker claimsVulnerability-related.DiscoverVulnerabilityhe used the SQL injection flaw to upload a shell on the market 's server . He then used this backdoor to accessAttack.Databreachvarious parts of the backend and dumpedAttack.Databreachthe private key used to generate the market 's .onion URL . Cipher0007 also says he used the market 's phpMyAdmin installation to dumpAttack.Databreachdetails on the database configuration and other login information . At the time of writing , the market 's phpMyAdmin login page was still exposed to external connections . To prove his claims , the hacker posted online a screengrab while uploading the shell to the Sanctuary market 's server , the market 's 1024 bit RSA private key , and the market 's root account database login information . The Sanctuary market is a small Dark Web market , and one of the few places where digital products such as data dumps , malware , and others , are far more prevalent than drugs and weapons . The admin of the Sanctuary market did not respond to a request for comment from Bleeping Computer in time for this article 's publication . Cipher0007 has a reputation in the hacking underground already . In January , the hacker collected an unspecified Bitcoin reward for reportingVulnerability-related.DiscoverVulnerabilitya bug to the AlphaBay staff that would have allowed an attacker access to over 218,000 private messages . AlphaBay is today 's biggest Dark Web market , and access to those PMs would have allowed an attacker insight into the operations of many sellers and vendors .
A case involving software vulnerabilities in medical electronics revealsVulnerability-related.DiscoverVulnerabilitythe inability for both the health care sector and federal regulators to swiftly address cybersecurity problems . This past fall , an investment firm rattled the health care industry with unsubstantiated claimsVulnerability-related.DiscoverVulnerabilityof multiple software vulnerabilities in internet-connected pacemakers and cardiac defibrillators . But it took federal authorities who regulate medical devices four months to acknowledgeVulnerability-related.DiscoverVulnerabilityonly one of the alleged defects , and for the company , St. Jude Medical , to patchVulnerability-related.PatchVulnerabilityit . The delayed response to a problem that could potentially put patients at risk raises many questions about why it took so long for the government to act , and what it will take for the health care industry to respond more swiftly to bugs in medical equipment increasingly connected to the internet . `` Software is never perfect and all systems still will have these flaws , '' says Joshua Corman , director of the Cyber Statecraft Initiative at the Atlantic Council and an expert on medical device security . `` The question is how gracefully and collaboratively and quickly and safely can we respond to these flaws . '' In this particular case , legal action as well as the unusual way the St. Jude vulnerabilities came to light may have stifled the response . A cybersecurity firm called MedSec initially discoveredVulnerability-related.DiscoverVulnerabilitythe problems in the St. Jude devices and tipped off the activist investment firm Muddy Waters , which publicizedVulnerability-related.DiscoverVulnerabilitythe flaws and advised clients to bet against the health care firm 's stock . As a result , St. Jude lodged a defamation lawsuit against MedSec and Muddy Waters , denying many of the alleged glitches in its pacemaker and implantable defibrillator systems . `` In theory , most disclosures now should take about 60 days to get to some clarity or resolution , '' said Corman . `` In part , because of the contentious nature and the lawyers involved in this particular one , it took about five months . '' Last week , the Food and Drug Administration along with the Department of Homeland Security confirmedVulnerability-related.DiscoverVulnerabilityat least some of MedSec's findings and reportedVulnerability-related.DiscoverVulnerabilitya flaw in the St. Jude @ Merlin transmitter , an at-home computer that sends data from cardiac implants to the patient 's medical team . The flaw could have allowed malicious hackers to remotely exhaust an implant 's battery power or potentially harm the patient . St. Jude spokeswoman Candace Steele Flippin said in an emailed statement that following the release of Muddy Waters ' claimsVulnerability-related.DiscoverVulnerabilityin August , the device manufacturer `` carefully reviewed the claimsVulnerability-related.DiscoverVulnerabilityin these reports along with our existing plans for our cyber ecosystem , '' evaluated them with FDA , DHS , and outside security researchers , and then identified the improvements announced on Jan. 9 and noted further enhancements `` we will be making in the coming months . '' But Muddy Waters said the problems may take as long as two years to fix . Carson Block , the firm 's founder , said this week the root causes of the vulnerabilities demand a change to firmware inside the St. Jude implants themselves . The firm said in a statement , `` these issues have just been givenVulnerability-related.PatchVulnerabilitya quick fix by St. Jude with the government 's blessing and cardiologists should go with other pacemaker manufacturers since they are much better on cybersecurity . '' It 's important to note that all the players in this medical legal drama , as well as the Veterans Affairs Department , which buys St. Jude devices , say there have been no reports of patient harm related to the cybersecurity vulnerabilities reported late August . In fact , the VA in recent months has continued paying for operations involving St. Jude devices , according to contract documents . Ever since the US government and St. Jude confirmedVulnerability-related.DiscoverVulnerabilitythe one flaw , the VA has been `` taking steps to be sure all our patients and providers are aware of this issue and take appropriate actions to be sure that all our patients get the update for their monitor , ” said Merritt Raitt , acting director of the VA National Cardiac Device Surveillance Program . The controversy could have been partly avoided , perhaps , if St. Jude and MedSec had followed new federal regulations for medical device security that encourage manufacturers to be more proactive about addressing potential vulnerabilities . A week before federal regulators publicized the one St. Jude glitch on Jan. 9 , they announced the completion of a 2016 draft policy that might have yielded multiple fixes in two months without anyone resorting to public shaming or legal action . On Jan. 4 , DHS circulated the final Food and Drug Administration ( FDA ) cybersecurity guidelines for monitoring networked medical devices on the market that threaten manufacturers with penalties such as a recall unless they cooperate with bug hunters to patchVulnerability-related.PatchVulnerabilityvulnerabilities within 60 days . Corman recommends that providers , including VA , heed all the literature that 's been published on the St. Jude glitches , including a DHS technical advisory , FDA security communication , MedSec report , and guidance written by Bishop Fox , a cybersecurity consultancy Muddy Waters hired in response to the lawsuit . `` Just understand that the FDA and DHS do need to get the ground truth , that security researcher claims do need to be validated through the normal regulatory process , '' he says .
A miscreant using the handle @ cyberzeist claimsVulnerability-related.DiscoverVulnerabilityto have infiltrated Plone CMS used by FBI.gov , using a zero day flaw allegedly for sale on an unnamed dark web site . The Register has contacted the FBI to confirm the allegations . The agency was not immediately available for comment – although a staffer said they were aware of the alleged break-in . Cyberzeist claims to have conducted the hack last month and has posted to Twitter what they claim are screen captures showing the FBI patchingVulnerability-related.PatchVulnerabilityagainst the vulnerability , which appeared to permit public access . The hacker dumpedAttack.Databreachthe 155 purported stolen credentials to online clipboard pastebin , claimingVulnerability-related.DiscoverVulnerabilitya vulnerability resides inVulnerability-related.DiscoverVulnerabilitya Plone Python module . Cyberzeist also claimed the FBI contacted the hacker requesting a copy of the stolen credentials , which they declined to provide . The hacker reckoned the CMS was hosted on a virtual machine running a custom FreeBSD . They said they will tweet the zero day flaw once it is no longer for sale .