Hackers recently broke into the Linux Mint official website and leveraged their access to point to a backdoored version of the Linux distribution’s ISO image.The community-driven distributor confirmed the hack in a blog post on Sunday:“I’m sorry I have to come with bad news,” the company’s statement begins. “We were exposed to an intrusion today. It was brief and it shouldn’t impact many people.”
The post goes on to reveal that those responsible for the incident initially gained access to the site via its WordPress blog. From there, they moved onto the www-data shell before modifying the Linux Mint download page to point to a malicious FTP server hosted in Bulgaria.Each of the hacked ISO images loaded up the complete OS along with the Internet Relay Chat (IRC) backdoor Tsunami, a well known Linux ELF trojan that in the past was used to conduct distributed denial of service (DDoS) attacks.Only those who installed Linux Mint 17.3 Cinnamon edition from the site’s official downloader on February 20th are affected. Even so, the attacker, who goes by the name “Peace,” told ZDNet that they have a “few hundred” Linux Mint installs under their control.The hacker went on to reveal that they obtained a copy of the site’s forums database and were selling it on a dark web marketplace over the weekend for just $85.00.Linux Mint confirmed the compromise in a subsequent post to its blog and stated that customers’ usernames, encrypted passwords, email addresses, and personal information could have been exposed.“People primarily at risk are people whose forums password is the same as their email password or as the password they use on popular or sensitive websites,” the distributor explains. “Although the passwords cannot be decrypted, they can be brute-forced (found by trial) if they are simple enough or guessed if they relate to personal information.”All users are urged to change their passwords as the Linux Mint team works to solve the issue.News of this hack follows on the heels of a critical vulnerability in the Linux GNU C Library (glibc) that could have allowed attackers to execute code on servers and gain remote control of Linux machines, applications, and devices.