A lone hacker who duped hundreds of users into downloading a version of Linux with a backdoor installed has revealed how it was done.
News broke on Saturday that the website of Linux Mint, said to be the third most-popular Linux operating system distribution, had been hacked, and was tricking users all day by serving up downloads that contained a maliciously-placed “backdoor.”
The surprise announcement of the hack was made Saturday by project leader Clement Lefebvre, who confirmed the news.
Lefebvre said in a blog post that only downloads from Saturday were compromised, and subsequently pulled the site offline to prevent further downloads.
The hacker responsible, who goes by the name “Peace,” told me in an encrypted chat on Sunday that a “few hundred” Linux Mint installs were under their control — a significant portion of the thousand-plus downloads during the day.
But that’s only half of the story.
Peace also claimed to have stolen an entire copy of the site’s forum twice — one from January 28, and most recently February 18, two days before the hack was confirmed.
The hacker shared a portion of the forum dump, which we verified contains some personally identifiable information, such as email addresses, birthdates, profile pictures, as well as scrambled passwords.
Those passwords might not stay that way for much longer. The hacker said that some passwords have already been cracked, with more on the way. (It’s understood that the site used PHPass to hash the passwords, which can be cracked.)
Lefebvre confirmed on Sunday that the forum had been breached.
It later emerged that the hacker had placed the “full forum dump” on a dark web marketplace, a listing we were also able to verify that exists. The listing was going for about 0.197 bitcoin at the time of writing, or about $85 per download.
Peace confirmed the listing was theirs. “Well, I need $85,” the hacker said jokingly.
About 71,000 accounts have been loaded into breach notification site HaveIBeenPwned, it announced on Sunday. Just less than half of all accounts were already in the database. (If you think you might be affected by the breach, you can search its database for your email address.)
Peace declined to give their name, age, or gender, but did say they lived in Europe and had no affiliations to hacking groups. The hacker, known to work alone, has previously offered private exploit services for known vulnerabilities services on private marketplace sites they’re associated with.
After a detailed conversation, the hacker explained how the multilayered attack was carried out.
Peace was “just poking around” the site in January when they found a vulnerability granting unauthorized access. (The hacker also said they had the credentials to log in to the site’s admin panel as Lefebvre, but was reluctant to explain how in case it proved useful again.) On Saturday, the hacker replaced one of the 64-bit Linux distribution images (ISO) with one that was modified by adding a backdoor, and later decided to “replace all mirrors” for every downloadable version of Linux on the site with a modified version of their own.
The backdoored version isn’t as difficult as you’d think. Because the code is open-source, the hacker said it took them just a few hours to repack a Linux version that contained the backdoor.
The hacker then uploaded the files to a file server located in Bulgaria, which took the longest “because of slow bandwidth.”
The hacker then used their access to the site to change the legitimate checksum — used to verify the integrity of a file — on the download page with the checksum of the backdoored version.
“Who the f**k checks those anyway?” the hacker said.
It was about an hour later when Lefebvre began to take down the project’s website.
The website has been down for most of Sunday, potentially losing thousands of downloads. The operating system distro has a big following for the Linux crowd. There are at least six million Linux Mint users at the last unofficial count, thanks to in part its friendly user interface.
Peace said the first hacking episode started late January, but peaked when they “started spreading the backdoored images early morning [Saturday],” the hacker said.
The hacker said there was no specific goal to their attack, but said that their prime motivation for the backdoor was to build a botnet. The hacker used malware dubbed Tsunami, an easy-to-implement backdoor, which when activated quietly connects to an IRC server where it waits for commands.
Yonathan Klijnsma, senior threat intelligence analyst working at Dutch security firm Fox-IT, said Tsunami is often used to take down websites and servers — by sending a “tsunami” of traffic to knock its target offline.
“[Tsunami] is a simple manually configurable bot which talks to an IRC server and joins a predefined channel, with a password if set by the creator,” said Klijnsma. But it isn’t just used to launch web-based attacks, it can also allow its creator to “execute commands and download files to the infected system to later execute, for example,” he added.
Not just that, the malware can uninstall itself on affected machines to limit traces of evidence it leaves behind, said Klijnsma, who helped me to review and verify some of the hacker’s claims.
For now, the hacker’s motive was “just having access in general,” but they did not rule out using the botnet to carry out data mining or any other nefarious means. In the meanwhile, the hacker’s botnet is still up and running, but the number of infected machines “dropped significantly since the news broke obviously,” Peace confirmed.
Lefebvre did not return an email for comment on Sunday. The project’s website is down, with no timeline on when the project will be back.