Summary

Shortly after the Linux Mint Blog made a 'bad news' announcement, ZDNet and Hot-for-Security reported that the Linux Mint official website had been compromised and had uploaded with a compromised 'Linux Mint 17.3 Cinnamon' installer ISO.  This ISO file contains a back-door.  The back-door allows remote access to the machines.  The compromise has been attributed to an individual who goes by the handle of  'peace'.  Peace also claimed that the forum data on the Linux Mint website had been downloaded by him twice on two different dates.  The Mint Linux website has been taken offline by its owner to prevent further downloads. The Mint author has also published a set of MD5 signatures for the legitimate versions of Linux Mint ISOs (SEE BELOW).  At the time of writing (22nd February, 11:30 UTC), the official Linux Mint website was still unavailable. 

Analysis

Technical Aspects of the Compromise

• Mint Linux official website hxxp://www.linuxmint[.com]/ was compromised and the breach was detected on 20th February 2016.
• The uploaded (Linux Mint 17.3 Cinnamon edition ISO) installer contained 'Tsunami' aka Kaiten backdoor and Backdoor.linux.Tsunami.bh.
• Kaiten is a known to be an IRC controlled Denial-of-Service client.
• According to Linux Mint author Clement Lefebvre,"The hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka[.]com. Both are hosted in Sofia, Bulgaria."
• The entry point was a vulnerability on the Linux Mint official website and has not been disclosed by the intruder.

Behaviour of the Malware

The implanted malware has been documented publicly (SEE:https://gist.github.com/Oweoqi/31239851e5b84dbba894). The backdoor can be used to run both TCP and UDP DDoS based attacks  It can also place arbitrary files onto the back-doored machine and execute them.  It uses IRC as a Command and Control (C2) channel and contains it's own help messages:

C2 Servers:  

The malware uses the following C2 servers:

updates.absentvodka[.com]
updates.mintylinux[.com]
eggstrawdinarry.mylittlerepo[.com]
linuxmint.kernel-org[.org]

Comparable analysis is available from Kaspersky labs who also claim to have seen arbitrary commands being sent to victims including "smbtree -N" to traverse locally available network file storage (SEE: https://securelist.com/blog/incidents/73893/beware-of-backdoored-linux-mint-isos/).

Previous Mint Web Site Breaches

Although there has previously been discussion that the patching and update rigour of Mint was not optimal (SEE: http://www.infoworld.com/article/2703044/does-linux-mint-need-better-security.html), no reported breaches to the site were found.

Previous Security Issues with Mint Linux

Mint Linux is based on Ubuntu distribution. Ubuntu releases their own security advisories and CVEs, no such advisories are released by Mint Linux.  Due to this reason no security issues could be found specifically for Mint Linux. However, any security issue found on Ubuntu would be applicable downstream to Mint distribution as well.  Only one CVE has been logged against the Mint distribution (SEE: http://www.cvedetails.com/cve/CVE-2014-1949/).  This was a vulnerability identified in 2014 and was a vulnerability in Ubuntu that was also identified in Mint. 

Likely Motivations Behind the Breach

According to an interview with 'Peace' by a ZDNet reporter, "The hacker said their prime motivation for the backdoor was to build a botnet."  But the same report also mentioned that "Peace also claimed to have stolen an entire copy of the site's forum twice -- one from January 28, and most recently February 18, two days before the hack was confirmed."  The same ZDNet report also says that the data dump of over 71,000 forum users with personally identifiable information has been put on sale in DarkNet for 0.197 BitCoins (~$85) and that ZDNet have been able to verify it.  The selling of the data dump points to an immediate financial and the botnet claim points to future malicious plans (SEE: http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/).

Known-Good ISO Checksums

Mint Linux website has been taken offline. The published a set of MD5 signatures for the legitimate versions of Linux Mint ISOs: 

6e7f7e03500747c6c3bfece2c9c8394f  linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983  linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238  linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd  linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d  linuxmint-17.3-cinnamon-oem-64bit.iso

Threats

• The intruder(s) downloaded the forum data containing hashed passwords, email addresses and dates of birth for over  71,000 Linux Mint forums members.  This data was put for sale in the DarkNet for 0.197 BitCoin or about 85$ US per download.
• Anyone who had an user account on Linux Mint forum be aware that their username/password pair has been compromised.
• Anyone who downloaded and installed from one of the Linux Mint installers on 20th February might have become part of a botnet.

Mitigations

• If a suspect compromised ISO has been used to install Linux Mint the system should be considered for forensic investigation in order to ascertain if it has been compromised itself.  When in doubt, rebuild from a trusted and verified ISO.
• In organisations where users are allowed to bring or build their own workstation then auditing any exsiting Mint Linux desktop should be considered.

Observations

File Signature Verification

On the user side, the generally recommended mitigation again rogue installers is to check the file hash / signature values (MD-5 or SHA-1, SHA-256 etc). But since the intruder had access to the official site itself, he/she was not only able to upload modified ISO files but also was able to modify the hash values for the ISO files and thereby rendering the hash value check useless. This means that users not only need to check hash values of any software installers they download but they also need to check the source of those hash values. Fortunately, the hash values of official versions are found in more than locations and users should attempt to make sure that there no discrepancies between hash values found in different places.  The Mint Linux site has now posted a blog listing the valid signatures for the Linux Mint 17.3 Cinnamon ISOs.

Verifying Already Installed System(s)

If someone already has a system running and is not sure about the integrity of the installer used, it's strongly recommended that a complete fresh re-installation from a verified installer is performed (including a full re-format of the drives).

Is Bleeding-Edge Always the Best?

Since Ubuntu and some of its derivatives (including Mint) support the concept of 'Personal Package Archive' (PPA).  PPA allows anyone to start his/her own 'personal' repository and host software packages for others to download. Canonical (the company behind Ubutnu) categorically states that "PPAs are not monitored or checked" and therefore users are left to decide whether or not to trust a package available via a PPA. This makes PPAs a potential vector for malware.

Benefits of Local Mirroring

Local mirroring is usually used by business and educational organisations and not by home/small business users. Local mirroring might not provide any benefit at all for Home/small businesses since number of systems involved are likely to be few in number and overheads are too great. For medium to big enterprises using large number of installations, there may be an advantage in running a local mirror.  In that case, the system admin could manually check and verify the installers/packages before downloading them to his mirror site and thereby providing an extra layer of security checks.

Organisation Allowing Employees Build their Own Desktop

In this case, the organisation would effectively be offering a big attack surface to any malicious actor willing to contemplate a similar breach of any Linux distribution site/mirror site. A trade-off could be achieved by the organisation by hosting its own local mirror (hosting installers verified by the system admins) and only allowing Linux distros from the local mirror to be used within the organisation's network.

Home Users

Home users can take precaution when downloading any installers (OS or application) and check the signatures of the downloaded file and if possible from more than one source to verify validity. It's also highly recommended to use only official repositories form Linux software update (apt or yum) and not use Personal Package Archives unless completely certain about their legitimacy.

Customer Protection

Forecepoint customers are protected against this threat via TRITON® ACE at the following stages of attack:

• Stage 5 (Dropper File) - The backdoored Linux Mint ISOs are detected.
• Stage 6 (Backchannel Traffic) - Attempts by the Tsunami backdoor to contact its command-and-control server are blocked.

Forcepoint customers are protected against this threat via Forcepoint Threat Protection for Linux at the following stages of attack:

• Stage 5 (Dropper File) - Backdoor code detected in memory.

REFERENCES

1. Tampered Linux Mint ISO Linked on Official Website / http://www.hotforsecurity.com/blog/tampered-linux-mint-iso-linked-on-official-website-13433.html
2. Hacker explains how he put "backdoor" in hundreds of Linux Mint downloads / http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/
3. Beware of hacked ISOs if you downloaded Linux Mint on February 20th! / Written by Clem on Sunday, February 21st, 2016 @ 1:44 am / http://blog.linuxmint.com/?cat=1
4. All forums users should change their passwords / http://blog.linuxmint.com/?p=3001
5. Ubuntu Security Notices / http://www.ubuntu.com/usn/utopic/
6. Ubuntu CVE Tracker / http://people.canonical.com/~ubuntu-security/cve/main.html
7. Linux Mint hack: 71,000 user accounts stolen and malware planted using Tsunami backdoor / http://www.ibtimes.co.uk/linux-mint-hack-malware-planted-in-17-3-cinnamon-iso-and-71000-user-accounts-stolen-with-tsunami-backdoor-1545254
8. Linux Mint hacked: Malware-infected ISOs linked from official site / http://www.theregister.co.uk/2016/02/21/linux_mint_hacked_malwareinfected_isos_linked_from_official_site/
9. IRC based distributed denial of service client  (Tsunami / Kaiten ) / https://dl.packetstormsecurity.net/irc/kaiten.c
10. How to use PPAs to install bleeding-edge software in Ubuntu and Linux Mint / http://www.pcworld.com/article/2942171/how-to-use-ppas-to-install-bleeding-edge-software-in-ubuntu-and-linux-mint.html
11. man.cy from malicious Linux Mint ISO / https://gist.github.com/Oweoqi/31239851e5b84dbba894
12. Beware of Backdoored Linux Mint ISOs / https://securelist.com/blog/incidents/73893/beware-of-backdoored-linux-mint-isos/

Blog contributors: Dey, Bappaditaya, Griffin, Nicholas, Settle, Andrew