The web properties of the project developing Linux Mint have been compromised, and the attacker managed to put up a backdoored version of the distro for download for a little while.
The breach was announced by project leader Clement Lefebvre on Sunday, February 21, via a blog post.
“Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it,” he shared. “As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition. If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either. Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.”
To complete the deception, the attacker also changed the checksum offered for verifying the integrity of the file.
“The hacked ISOs are hosted on 126.96.36.199 and the backdoor connects to absentvodka.com. Both lead to Sofia, Bulgaria, and the name of 3 people over there. We don’t know their roles in this, but if we ask for an investigation, this is where it will start,” Lefebvre noted, and added that they don’t know the motivation behind the attack.
“If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this,” he concluded.
Less than half a day later, he announced that the attacker has also compromised the forums database.
“If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible,” he urged, adding that the users’ info compromised includes their username, email address, encrypted password, and personal information they shared in their profile, or messages they posted or exchanged with other users.
“People primarily at risk are people whose forums password is the same as their email password or as the password they use on popular or sensitive websites. Although the passwords cannot be decrypted, they can be brute-forced (found by trial) if they are simple enough or guessed if they relate to personal information,” he pointed out.
He recommended to all forum users to change their passwords once the forum gets back online, and in the meantime to change their passwords on other websites (if they used the same password).
Zack Whittaker has managed to get in touch with the hacker, and so far the things he shared about the hack seem to check out.
The hacker, who identified himself as “Peace,” says that him and his group live in Europe but they are not affiliated with any hacking group.
Peace says that he has copied the site’s forum twice – the first time on January 28, the second on February 18 – and they have already cracked some of the user passwords. He also put the “full forum dump” for sale on a underground marketplace, and asks $85 for each download. The dump seems to be authentic.
The malicious ISO image was easy to backdoor, he said. The backdoor in question is Tsunami, which connects the compromised system to an IRC server from which it can be ordered to participate in a DoS attack.
The malware can also download and run additional (malicious) files, execute commands on the system, and even uninstall itself.
Peace says that, at the moment, they are not planning to do anything with this botnet. News of this breach also resulted in a severe decrease of its size.
Linux Mint’s project website is currently down, as are the forums, and there is no indication when they would be back again. Lefebvre said that “the breach was made via wordpress. From there they got a www-data shell,” but he shared no other details. Peace said that they found and exploited a vulnerability to access the site.