“I’m sorry I have to come with bad news,” wrote Clement Lefebvre, head of the Linux Mint project, before announcing Linux Mint suffered an intrusion; on February 20, “hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.”
It’s not all Linux Mint, ranked by DistroWatch as the most popular Linux distribution for the last year, that were affected, but only the ISO for Linux Mint 17.3 Cinnamon edition downloaded from the site on Saturday. Lefebvre noted that other ISO releases downloaded from the site on Feb. 20 as well as the Cinnamon edition ISOs downloaded via torrents or a direct HTTP link should not be affected.
If you downloaded the Cinnamon edition yesterday, then Lefebvre advised users to compare the MD5 signature. However, technologist Micah Lee seemed flabbergasted by that advice, since the attackers could have also changed the MD5 checksums. Nevertheless, if you installed the maliciously tainted edition, then Lefebvre said to take your PC offline, reinstall a clean version and then change your email and other passwords.
The attackers breached the site via WordPress, Lefebvre admitted in a comment. “The hacked ISOs are hosted on 22.214.171.124 and the backdoor connects to absentvodka.com. Both lead to Sofia, Bulgaria, and the name of 3 people over there.”
Database was sold on the dark web
After Lefebvre’s warning to “beware of hacked ISOs,” security-minded individuals jumped into action. CSO’s Steve Ragan found the data for sale on TheRealDeal dark web marketplace and tweeted a screenshot.
Ragan tweeted “LinuxMint didn't just have their ISOs backdoored. Their server and forum were dumped. It's up for sale online, asking price is ~$85 USD.”
Someone seemingly purchased it, then dropped the Linux Mint forum’s configuration file into the discussion on Hacker News.
Hackers re-compromised the site after it was first "cleaned"
After comments on the Linux Mint blog said the download page was again pointing to the hacked Cinnamon ISO, Lefebvre confirmed it was a “second attack” and the site was still vulnerable. The Linux Mint team kicked into action once more, entirely shut down its server this time, searched for the “source of the second intrusion” – most likely a remnant left over from the first, and then closed the holes the attackers exploited to gain access.
Backdoor was a Tsunami IRC bot
Lefebvre added that the attackers chose to taint Mint’s Cinnamon edition with an oldie, the Tsunami IRC bot. With the unlimited choices available, some security pros wondered why the hackers bothered to settle for an IRC-based botnet; Tsunami is an old tool with “very very poor” performance. As Dutch-based Fox-IT senior threat intelligence analyst Yonathan Klijnsma put it:
Several social networking site discussions suggested the attackers must be noobs. Softpedia said the entire hack was “mishandled” and asking a mere $85 for the forum’s database showed “lack of vision.”
Softpedia’s Catalin Cimpanu expounded on the attackers’ inexperience:
The fact that they've re-compromised the site after they've been originally discovered also shows the group's lack of experience. With their entry point still working, and with the Linux Mint team blaming the WordPress site, when all clues pointed to the phpBB forum, all the hackers had to do was to wait. Instead, they escalated the entire incident, placed ads on an underground hacking forum, which eventually caught the eye of security experts and forced the Linux Mint team to bring down their entire website, cutting off their access.
Although Linux Mint doesn’t know the attackers’ motivation, Lefebvre said, “If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.”
Update: Steve Ragan contacted me to say the config file for phpBB that was posted on Hacker News was copied from elsewhere as 'proof' by the hacker. Additionally, Tsunami isn't the name of the bot; “the code is called Kaiten, and it's been open source since about 2001.”