We already announced in this blog that there was attacked Linux Mint servers to replace ISO images of the famous Linux distribution by other modified ones that this pirate had created. Thus, all those who have downloaded the ISO of the Linux Mint distribution will have installed on their machine a version that is not the original and that has been tampered with. At the moment the attack was known but the person responsible was not known, now the attacker is known who has even explained how he did it.
Furthermore, the hacker alleges that he not only affected the ISO images in the download area of the official Linux Mint portal, but also other parts like forums, being able to have access to the usernames and passwords of all registered. Something that is a pretty serious security flaw. Having users and passwords from a registry in a forum may not be the worst, but being able to modify the ISOs so that users download modified distros with one purpose (to install a backdoor or backdoor to access the victim computer at will. ).
The person responsible for this, let me not call him "hacker", since "hacker" is quite another thing, he is hacker or cybercriminal calling himself Peace. Three days after his attack he has shown himself, also telling how he could take control of the Linux Mint servers. Something that has affected many, since Linux Mint is one of the most widely used Debian-based distros, behind the almighty Ubuntu. That is, it is not a rare distro that few use ...
But Peace has not shown neither his face nor his identity, it is only known that he lives in Europe and his name in the cyber world. He has also said that he does not belong to any known pirate group, he acts alone. And it all started when he was "walking around Linux Mint servers" in January and came across a vulnerability that allowed him to access the website's admin panel. And a few days later, the vulnerability still hadn't been fixed, so he went in and decided to compile his Linux Mint ISO with a backdoor and have everyone download this image from the mirror links he uploaded.
The ISO was uploaded to a Bulgarian file server. In addition, Peace encourages you to review the back door, as it is not too complex and is open source. So those affected already have entertainment ... Of course the MD5 signature was also varied by Peace to coincide with that of the modified ISO and thus leave those who downloaded it alone. Something that leads us to think if what we download is safe even if it has a verification of the sum of the MD5 hash (in addition, many do not even check it after downloading).
The database of forum logs of the Linux Mint website was also stolen twice and therefore user data has been compromised. But Peace does not stop there, it has also downloaded a whole copy of the forum, the first on January 28 and the second on February 18, so all those registered before this last date have their password and username in the hands of the pirated, since although they were encrypted, Peace says he has been able to decrypt them with ease by taking advantage of a PHPass flaw that managed the site's passwords.
Y Peace has put all the content up for sale: users, passwords, emails, scripts, etc. On the black market of the Deep Web, for a total of 0.197 Bitcoin, that is, $ 85. Above cheap ... If you want to check if your account has been compromised, visit HaveIBeenPwned. And if you have lowered the ISO by this time, your team will be compromised with the backdoor. Format and install a new trusted ISO.