Linux Mint, one of the most popular Linux distributions in the world, was briefly infected with malware this weekend when an attacker replaced the 64-bit ISO download on the official site.
A spin-off from Canonical's Ubuntu Linux, itself a spin-off from Debian, Linux Mint's user-friendliness and accessibility has helped it become one of the most popular consumer-oriented Linux distributions around. That popularity, naturally, makes it a target, and one attacker hit the mother lode this weekend: accessing the official Linux Mint website and replacing the 64-bit ISO files with a version containing a backdoor Trojan.
Based on the Tsunami Trojan, the code inserted into the ISOs would make any system installed from the infected media join an IRC-controlled botnet. From there, anyone with access to the control server could use the systems in distributed denial of service (DDoS) attacks or upload and download arbitrary data - including running any code they desired on the system.
The flaw in the distribution's security can't be traced to Linux itself, however: project founder and lead Clement Lefebvre posted
that the attacker took over the website by exploiting an unpatched vulnerability in the popular WordPress content management system. From there, the attacker had full control over the website and used said control to replace the 64-bit Cinnamon Desktop ISO files, complete with replacing the listed MD5 hashes - incorrectly referred to as 'signatures' in Lefebvre's post - to allay suspicion.
While the attack was quickly detected, the full extent was not spotted until efforts to clean the infected ISOs from the system were met with resistance - after which the website was taken completely offline. Adding insult to injury, the attacker also made off with a dump of the forum database
, including hashed passwords, which he or she is offering for sale on underground sites for just $85.
For the Linux Mint project, the attack has exposed some major failings in its security. Project maintainers have come under criticism for failing to keep their WordPress install up-to-date, for hosting the verification hashes on the same server as the ISOs themselves, for not using TLS-encrypted connections for website or forum traffic, and for relying on MD5 hashes rather than cryptographic signatures to confirm the validity of a given ISO.
'What we don’t know is the motivation behind this attack,
' complained Lefebvre in the announcement. 'If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.