On Saturday, Linux Mint disclosed that someone had compromised their website and made changes to links in order to direct users to malicious downloads.
Update (2/26/16): Level 3 Threat Research Labs investigated this incident and released new information on the attack timeline. According to their investigation, traffic shifted to multiple different malicious hosts at three separate intervals between February 19 and 21, not just February 20 as originally reported.
"A wider swath of time than the reported February 20 date. By providing the full time period for compromise, users have a clear understanding of first, if they were compromised and second, if they should take action, especially for those who downloaded the program on Friday or Sunday," a spokesperson stated.
The altered links pointed to a modified Linux Mint ISO that contained a backdoor. In addition, the Linux Mint forums were also compromised, and the person claiming responsibility has put it up for sale online.
For a brief time on Saturday, February 20, users attempting to download Linux Mint might have downloaded a version that contained a backdoor. In a blog post on Saturday, the Linux Mint team outlined the attack in detail.
After creating a backdoored ISO for Linux Mint, the attacker(s) then compromised the project's website (linuxmint.com) by targeting vulnerabilities in WordPress. Once the attacker(s) gained access to the website, they altered the download links and pointed them to the modified ISO.
"As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition. If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either. Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th," the blog post explained.
Data for sale
However, shortly after the ISO compromise was announced, the Linux Mint domain was taken offline. As it turns out, not only did the attacker(s) compromise the domain to alter links, they also compromised the user forum. Users are encouraged to reset change their passwords if the password used on the Linux Mint forum is the same password used anywhere else.
"People primarily at risk are people whose forums password is the same as their email password or as the password they use on popular or sensitive websites. Although the passwords cannot be decrypted, they can be brute-forced (found by trial) if they are simple enough or guessed if they relate to personal information. Out of precaution we recommend all forums users change their passwords," the blog post explaining the second breach said.
The Linux Mint data, including forum accounts (usernames, passwords), forum private messages, and additional personal information that a user may have entered was offered up for sale on Saturday. A well-known market on the Darknet has an ad for the data; everything can be obtained for roughly $85 USD.
The person claiming responsibility for the Linux Mint breach posted part of a configuration file as proof on Reddit. Based on the post, the forum ran phpBB and used a database name of lms14, which was also its database username. The database password was upMint.
In addition to offering proof, the poster said that perhaps "the insanely secure db credentials had something to do with the breach? But what would I know."
Kaiten has been open source since about 2001, so the code isn't something new or unique. Early reports on the hack said the IRC bot was Tsunami, which is technically correct, as that's one of the names used to identify the bot's core code (AV companies use this name too), but the code itself is
Kaiten has been used several times over the years, including attacks on Linux-based VPS deployments, routers, and IoT devices earlier this month. It's even been ported over into to OS X.
So while the attack managed to compromise the Linux Mint forum, it looks as of the goal of building a botnet out of hijacked ISOs wasn't at all successful.
On Saturday evening, the person claiming responsibility for the attack spoke to Zack Whittaker over at ZDNet, they claim the attack was one of opportunity and the price set for the data was because they needed $85.