Oh No, Linux Mint Hacked, ISO's Compromised
The Linux Mint Website, forums, and images were hacked this weekend. Clement Lefebvre announced the breach to the public Sunday morning saying, "I’m sorry I have to come with bad news. We were exposed to an intrusion today." The hacker spoke with ZDNet today about his motivations and the extent of the damage, which includes uploading a version of Mint 17.3 Cinnamon with backdoors and selling forum user data on the black market.
Lefebvre blogged yesterday, "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it." He then added that Linux Mint 17.3 Cinnamon is only edition they've confirmed as hacked and only those on FTP. He said:
If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either. Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
Lefebvre said his team didn't know what the hacker's motivation was, but ZDNet is reporting it was financial. Besides the backdoor'd images, forum dumps were stolen and ZDNet reported the data was offered for sale for $85 a download on "a dark web marketplace" verified by them to exist.
ZDNet's Zack Whittaker spoke with the hacker who said (s)he lives in Europe and is not affiliated with any known hacking group. The hacker said he was "just poking around" the Mint Website and found a vulnerability in WordPress letting them in to obtain a database dump and get shell access. He stole a dump back in January, but Saturday unleashed his worst. It only took him a few hours to spin a new 17.3 Cinnamon ISO and begin the upload to a server in Bulgaria. After uploading, he changed the checksums and set about propagating the images. It was only an hour later Lefebvre took down the Mint sites according to Whittaker.
The hacker, known ironically as Peace, told ZDNet his motive was to build a botnet for DDOS attacks, philshing attacks, data mining and such. He also said his number of pwned machines began dropping as soon as the news broke.
Folks that downloaded the images should delete them and throw away any optical discs. Format USB sticks and any partitions on which the compromised images may have been installed. In a separate post Sunday, Lefebvre also advised forum users to change their passwords since it had been hacked too. He suggested folks change their email passwords as well. Lefebvre added things were not quite back to normal just yet, but they're working on it. After clean-up and restoration, hardening suggestions include https by default and nix MD5Sums for SHA256. The main Linuxmint.com Website is still off-line at this time.
In other news: