Hackers are cybercriminals, and like any criminal sometimes they want to show off their skills. Linux Mint was hacked in February by what’s been revealed as a lone hacker. As the third biggest Linux OS distribution site, it spent all day duping visitors into downloading a malicious version with a backdoor. The site’s project manager, Clement Lefebvre, has confirmed the hack in a blog post. The site was immediately taken offline to stop downloads, but that’s of little comfort to everyone who had already taken the bait.
The hacker goes by the handle “Peace,” and joined an encrypted conversation with Lefebvre. Peace claims that “a few hundred” visitors who downloaded the hacked version were now being controlled. It’s estimated that over one thousand downloads took place, suggesting a generous percentage are vulnerable to Peace’s attacks. However, here’s where it gets interesting.
Victims Use Backdoor
Peace says a copy of the site forum has already been stolen twice, in both January and February of this year. Just two days before the attack, the alleged last theft took place. Part of the forum dump was shared with Lefebvre, and it’s been verified as containing personal data (birthdays, scrambled passwords, email addresses, and photos). Peace is the kind of hacker who wants to showboat.
There’s no telling how long the passwords will stay scrambled, with Peace claiming that some have already been untangled—and promising more. The site depends on PHPass for password protection, which is crackable. Peace put the “full forum dump” into a black marketplace online, and the posting has been verified. It was selling for 0.197 bitcoins/$85 per download when first confirmed. Peace has also confirmed, saying, “Well, I need $85.”
Life’s a Breach
Around 71,000 accounts are loaded onto HaveIBeenPwnded, and less than 50 percent were pre-existing. It’s a safe, user-friendly site where you can search for email addresses to see if you may be a victim. As for Peace, he/she chose not to self-identify with age, gender, or name, but claims to live in Europe and work solo. Peace has also claimed a number of previous hacks.
Peace says by “just poking around” in January, a vulnerability was spotted—Peace already has access to the site admin panel, but didn’t offer more details in case that access is useful again in the future. By swapping a 64-bit Linux distribution image with a modified one with the backdoor, then swapping all the mirrors for every version downloadable with a modified one, the hack was made. As for the site, it’s unclear whether this attack was preventable or not. It doesn’t use the best protective measures, as is made clear by using the crackable PHPass. Preventative measures, from using virtual private server (VPS) hosting to un-crackable third party sites, are the first step in ending Peace’.