A hacker has compromised the official Linux Mint website and has linked the official Linux Mint ISO to a modified version hosted on a server in Bulgaria. The modified ISO contains malware that will allow the hackers to take control of the machines on which Linux Mint is installed. The Linux Mint cyberattack has impacted all individuals who downloaded the ISO on 20th February.
The ISO included an IRC backdoor that will allow attackers access to all infected systems. The Linux Mint ISO hack was achieved by modifying a PHP script on the WordPress installation used on the site.
The Linux/Tsunami-A malware connects to an IRC server and can receive instructions from the hacker behind the attack. The machine on which the malware is installed could be used as part of a DDoS attack, or the machine could have further malware downloaded to it.
The backdoor had been installed in the 64-bit version of the Linux Mint 17.3 Cinnamon edition. While the 32-bit version does not appear to show any sign of an infection, the hacker responsible appears to have been attempting to install a backdoor in that ISO as well, as that file was also stored on the attacker’s server. The hacker responsible was reportedly trying to construct a botnet, although Mint Protect Leader Clement Lefebvre has said that the intentions of the hacker are not fully understood.
The names of three individuals who are believed to be involved in the Linux Mint cyberattack have been obtained by Lefebvre’s team. They are associated with the website on which the modified ISO was hosted, although it is not clear at this stage whether an investigation into those individuals will be launched. That will depend on whether any further action is taken by the hacker, according to a blog post by Lefebvre.
Linux Mint Cyberattack Compromised 71,000 User Accounts
In addition to linking to a modified version of the ISO file, the forum database on the Linux website has also been compromised. The account details of all 71,000 individuals registered on the forum have been exposed. That database has been listed for sale for a reported 0.197 Bitcoin according to ZDNet.
Fortunately, the Linux Mint cyberattack was discovered quickly and action taken to prevent further malicious copies of the ISO being downloaded. The Linux website has been taken offline while the issue is fixed.
All individuals who downloaded the ISO from the official website have been advised to check to see if their version has been hacked. It is possible to determine whether the ISO has been hacked by checking its MD5 signature by running “md5sum yourfile.iso”, using the name of the downloaded ISO and checking this against the valid signatures posted on the Linux Mint website.
All individuals who have an account on forums.linuxmint.com have had their username, email address, private messages, and encrypted copies of their password exposed. Users have been advised to change their passwords immediately.