This Week in Breaches: Linux Mint

On Saturday February 20, 2016 Linux Mint project leader Clement Lefebvre confirmed that the website of the community-driven operating system had been hacked.  An attacker by the handle of “peace_of_mind”, is claiming responsibility for the hack of the site, deceiving users into downloading a version of Linux that contained a maliciously-placed backdoor.

It was originally reported that only the Linux Mint 17.3 Cinnamon edition was compromised, however it’s now been officially verified that their forum’s user database is also in a state of breach. If you have an account on it is strongly recommended that your change your passwords on all sensitive websites immediately. The database contains the following sensitive information:

  • Your forums username
  • An encrypted copy of your forums password
  • Your email address
  • Any personal information you might have put in your signature/profile/etc.
  • Any personal information you might written on the forums (including private topics and private messages)

The data from the forum hack is already for sale on a dark web marketplace, selling for 0.191 Bitcoin, or $85 USD per download. According to the notification site ‘Have I Been Pwnd’, there has been 71,000 known exposed accounts. If you think you may be affected by this breach, we recommend that you search the database here.


[i] Image retrieved from Klijnsma’s Twitter


Lefebvre and the team at Linux are also urging everyone that has previously downloaded Linux Mint 17.3 Cinnamon, to check the MD5 signature using the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO). The valid signatures are below:

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

Lefebvre suggests that if you still have the burnt DVD or USB stick, boot a computer offline (turn off your router if in doubt) with it and let it load the live session. Once in the live session, if the file /var/lib/, is present, it’s an indication of an infected ISO.

The hacker, “peace_of_mind”, spoke to Zach Whittaker from ZDNet in an encrypted chat on Sunday stating that a “few hundred Linux Mint installs were under his control.” He also claimed that he had stolen an entire copy of the site’s forum twice, on January 28 and again on February 18. Peace_of_mind continued to explain the attack, stating that he found a vulnerability that granted him unauthorized access, and using administration credentials (that he would not explain how he acquired them) logged on to the admin panel. Once in, he replaced one of the 64-bit Linux images with a modified version that had a backdoor.

Peace_of_mind claimed that there is no specific goal to the attack, but that their motivation was to build a botnet. Whittaker reached out to Dutch threat intelligence analysist Yonathan Klijnsma, to help substantiate some of the claims. The attacker used malware dubbed as Tsunami, a “manually configured bot that talks to an IRC server and joins a predefined channel, with a password if set by the creator”. This bot can also download files to be executed at a later date, as well as uninstall itself to minimize evidence left behind. Lefebvre has taken the website down, and there is no timeline for when the site will be back online.

Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.
Follow us on LinkedIn and Twitter for current company and industry news.