Linux Mint downloads served backdoored ISO
The Linux Mint website, specifically its WordPress installation, was compromised. Attackers modified download links on the site for the Linux Mint 17.3 Cinnamon edition ISO.
Story
The Linux Mint compromise was a website attack against a distribution project. On February 20, 2016, attackers changed the official download page so the Linux Mint 17.3 Cinnamon ISO pointed to a hostile server instead of the normal release path.
The tainted ISO installed a working Linux Mint system plus the Tsunami IRC backdoor. A user could boot, install, and see a normal desktop, while the system also joined attacker-controlled IRC infrastructure for remote commands.
The project narrowed the affected scope to Linux Mint 17.3 Cinnamon downloads made from the website on that day. Torrent downloads and direct links were reported safe. Users who installed the tainted ISO were told to reinstall from clean media, not merely remove a package.
The attackers also obtained a copy of the forum database. That made the incident both a distribution compromise and an account-data breach. Linux Mint rebuilt services, warned forum users to change reused passwords, and pushed users toward checksum verification.
Affected Artifacts
- Observed
- 2016-02-20 to 2016-02-21
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- sha256:307d8420e51d8a237153a5ea6454422ee9360f552eb7ea8ce5f5fcf6b7d3c917
- md5:e71a2aad8b58605e906dbea444dc4787
- Affected Linux Mint artifact was the Cinnamon Edition ISO.
Incident Context
- Motive
- Unauthorized Access Control
- Attribution
- Person
- Cause
- Compromised Infrastructure
- Transitive
- No
- Actor
- Individual Hacker
External References
- Beware of hacked ISOs if you downloaded Linux Mint on February 20thblog.linuxmint.com
- All forums users should change their passwordsblog.linuxmint.com
- Linux Mint website hacked, ISO images compromisedzdnet.com
Source record: oss/attacks/linux_mint/meta.yaml