Attackers managed to hijack the website of the Linux Mint operating system to push a backdoored ISO image of the software to users over the weekend.
The developers behind the software, one of, if not the most popular Linux distribution, are unsure what the hackers are aiming to achieve by the move but acknowledge that if there are more efforts to attack their project, they plan to get the authorities involved.
Clement Lefebvre, the creator of Linux Mint, disclosed the incident in a blog post early Saturday morning and downplayed it by saying only one version, Linux Mint 17.3 Cinnamon, was compromised and only users who downloaded it via the official site on Feb. 20 are believed to be affected. Users who downloaded through torrents or a direct HTTP link are not affected Lefebvre said.
Regardless, Lefebvre encourages any user who suspects their version is tainted to verify their ISO against a handful of valid signatures listed in the blog – and destroy any compromised versions.
If a user has already installed the ISO, Lefebvre advises users to take the computer offline, backup their data and either reinstall the OS or format the partition.
Lefebvre has been transparent about the breach since it was announced, further clarifying that attackers managed to breach Linux Mint’s site in the first place via a WordPress vulnerability and from there they got a www-data shell. They were running the latest build of WordPress but a custom theme and “lax file permissions for a few hours” led to the hack, he wrote.
Some of the hacked ISOs ultimately connect to servers in Sofia, Bulgaria, but it’s unclear exactly what the criminals’ motivation is.
‘We don’t know their roles in this, but if we ask for an investigation, this is where it will start,” Lefebvre wrote.
According to researchers at Kaspersky Lab who looked at some of the compromised ISO images, the malware is a simple backdoor that’s controlled through an unencrypted IRC connection. It’s capable of a few things: Running types of UDP and TCP flooding for DDoS attacks, downloading arbitrary files to the machine, and executing arbitrary commands.
According to Stefan Ortloff, a member of Kaspersky Lab’s Global Research and Analysis Team who wrote about the malware in a post Monday on Securelist, while looking over the C&C channel he noticed “the criminal sending several SMB-related commands like “smbtree -N” to the connected bots.”
“Apparently the attacker tries to access SMB/CIFS shares available in the local network of the victims,” Ortloff wrote.
Lefebvre confirmed in a subsequent blog post on Saturday that the site’s forum database was also compromised during the attack and as a result they’re urging anyone who has an account on forums.linuxmint.com – and any site where they used the same password – should change their passwords
Additional details in that database that may have been stolen include:
- Users forum usernames
- An encrypted copy of users forum password
- Users email address
- Any personal information they might have put in your signature/profile/etc…
- Any personal information they might written on the forums (including private topics and private messages)
According to DistroWatch.com, which keeps track of Linux distributions by the number of page hits over a given period of time, Mint is far and away the most popular build, surpassing Debian, Ubuntu, and Fedora.
Lefebvre claims this is the first time Linux Mint has really experienced anything more serious than a DDoS attack and that it’s a new, but important experience.
“It’s also important we communicate about this attack because we’re not talking about downtime or inconvenience here, this is a call to action,” he wrote, “We need people who are affected by this, to understand that they are, so they don’t get hurt or used going forward.”