Linux Mint Website Hacked; ISO Downloads Replaced with a Backdoor

linux-mint-hackThe systems of users who downloaded Linux Mint on February 20 may be at risk after it was discovered that Hackers from Sofia, Bulgaria managed to hack into Linux Mint, currently one of the most popular Linux distributions available. According to Linux Mint’s report, the hacker tricked users into downloading a version of Linux Mint ISO with a backdoor installed by replacing the download links on the site. The link leads to one of their servers offering malicious ISO images of the Linux Mint 17.3 Cinnamon edition. The website has been down since February 21, Sunday, resulting in the loss of thousands of downloads.

What happened?

On February 21, Linux Mint project head Clement Lefebvre, announced on a blog that “Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.” Lefebvre stressed that only downloads from February 20 were compromised and that the site was subsequently taken offline to prevent further downloads and correct the issue. As stated in Linux Mint’s blog, the hacker accessed the underlying server via the team’s WordPress blog. From there, the hacker manipulated the download page and pointed it to a malicious FTP server that contained the modified version of Linux Mint. This version included malware which was used to implement a backdoor.

Once activated, it surreptitiously connects to an Internet Relay Chat (IRC) server where it waits for commands and which could possibly launch DDoS attacks. The malware can also uninstall itself on affected machines to remove traces of evidence that it was there.

Who are affected?

According to the February 21 Linux Mint blog, Linux Mint 17.3 Cinnamon from the affected link was the only installation that was found to have been compromised.  Those who downloaded other editions should not be affected. Those who downloaded it from other sources, such as torrents or through direct HTTP links are unlikely to be affected as well.

Who is behind the hack and what are their motivations?

According to Lefebvre, the backdoor and the hacked ISOs lead to Sofia, Bulgaria, and the names of three other people in the location. However, as of late, it is not very clear as to what their motivations are. Based on other reports, a hacker known as Peace revealed that they have stolen an entire copy of the site’s forum twice—on January 28, and in February 18. Additionally, the hack contains a portion of the forum’s dump which mainly includes email addresses, profile pictures, and scrambled passwords.

Interestingly, it was later disclosed that the hacker had placed the “full forum dump” on the Deep Web marketplace where the listing was going for about 0.197 Bitcoin, or about $85 per download.

What can affected users do?

If you believe you are affected, here’s what you can do:

  • Take the affected system offline
  • Reinstall the OS using a clean installer
  • Destroy all copies of the malicious ISO

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.