When you download an operating system, you certainly don’t expect to be installing an altered version with a backdoor in place, but sadly this is what happened to some folks who downloaded a popular version of Linux over the weekend.
To be precise, we are talking about Linux Mint – specifically the 17.3 Cinnamon edition. As the makers of Mint announced in a blog post, what actually happened was a malicious party made a modified version of said OS (containing a backdoor) and hacked the official website to point to this compromised download.
The maliciously modified version was available for a time on Saturday (February 20) before the issue was discovered, so if you downloaded and installed Mint from the official site on that day, then you’ve got a problem (and if this was a machine with business data on, a potentially even bigger problem).
If you grabbed another version aside from Mint 17.3 Cinnamon edition, then you’re fine, and equally if you downloaded from elsewhere other than the official website (say via torrents) then you’re also okay.
If you’re unsure about whether you’re safe or not, as Clement Lefebvre, who is in charge of Linux Mint, advises, you can check the MD5 signature “with the command md5sum yourfile.iso (where yourfile.iso is the name of the ISO).”
The list of valid signatures is provided in Clem’s blog post, and further advice is given on what action to take if you did install this backdoor-laden OS (take the PC offline, reinstall the OS or format the partition, and change any passwords you may have used on the machine).
Apparently the compromised ISO was loaded with Tsunami botnet malware.
At the time the attack was discovered, Lefebvre said that it was traced to Bulgaria, but the motivation wasn’t known. However, ZDNet later spoke to a lone hacker from Europe by the handle of ‘Peace’ who claimed to be responsible, and said they had successfully compromised a few hundred machines running Mint.
The hacker also claimed to have stolen a complete copy of the Mint website’s forum on two occasions, containing personal information of users including birthdates, email addresses and passwords (although the latter were encrypted).
However, the passwords are in the process of being cracked by all accounts (simple passwords will be particularly susceptible to being brute-forced), so if you’re a forum member, you should take action on that front too and change your password (and other instances of that password if you’ve used it elsewhere – of course, it goes without saying that’s very bad security practice).
The Mint team was quick to respond to this whole incident, and transparent in dealing with it, although the fallout from the compromise is likely to be considerable in the short-term.