The website distributing popular open-source operating system Linux Mint has been compromised by an unknown hacker who was able to insert a malicious backdoor into ISO downloads – leaving anyone who installed the software on 20 February at risk.
"Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," admitted lead developer Clement Lefebvre in a blog post, before explaining that anyone with a hacked version – which reportedly only impacts Linux Mint 17.3 Cinnamon edition – should destroy the download file immediately.
However, the scope of the breach quickly escalated. Later the same day, a second update was published that revealed the forum database on the website had also been compromised in its entirety, resulting in the loss of usernames, email addresses, content of private messages and encrypted copies of passwords. "If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible," Lefebvre said.
It is thought that the infected ISOs installed the Linux operating system bundled with a backdoor called 'Tsunami' that included that gives the hacker remote access to the infected machines.
At the time of writing, the Linux Mint website, apart from the blog notifications, remains offline, however, on 21 February, over 71,000 exposed accounts were added to the HaveIbeenPwned website which allows users to check if their details were compromised in cyber-attacks.
Initially, Lefebvre said the Linux Mint team didn't know the motivation behind the attack however added that an investigation may be launched. "If more efforts are made to attack our project and if the goal is to hurt us, we'll get in touch with authorities and security firms to confront the people behind this," he wrote. The developer has since acknowledged that Tsunami was indeed uncovered in the source code.
So, who is responsible?
Following infecting a slew of machines and downloading a full copy of the forum database, the hacker using the pseudonym 'Peace', listed the contents of the 'full forum dump' as for sale on a dark-web marketplace.
According to ZDNet, who was able to speak to the hacker via encrypted email, the listing was available for about 0.197 bitcoin which is equivalent to $85 per download. "Well, I need $85," the hacker joked.
According to 'Peace', the vulnerability that gave access to the website was first discovered in January. To carry out the attack, the hacker replaced the 64-bit distribution images (ISO) with the modified malicious version. The aim was to construct a botnet.
In order to check for an infected download, you can compare the MD5 signature with the official version, which Lefebvre has listed on the official blog post. If the downloaded ISO is a hacked version, users are advised to take the computer offline, backup all personal data, re-install the operating system with a clean ISO and change all passwords for sensitive websites and emails.