Even when downloading data from a trusted site, users must check that those files haven’t surreptitiously been replaced by an attacker.
Case in point: Hackers recently broke into a website that hosts a particularly popular Linux distribution, and then used it to spread their own, backdoored version of the open-source operating system.
On Sunday, developers of Linux Mint, a particular flavour of Linux, announced that for a short time their website was hosting a malicious version of the distribution.
“I'm sorry I have to come with bad news,” the post started. “We were exposed to an intrusion today. It was brief and it shouldn't impact many people, but if it impacts you, it's very important you read the information below.”
The hackers, according to the post, created their own backdoored version of Linux Mint 17.3 Cinnamon edition, for both 32 and 64-bit architectures. They also broke into the Linux Mint website that hosts the .ISO for the operating system, and directed visitors to their malicious version, rather than the authentic one people probably presumed they would be downloading.
“The situation happened today, so it should only impact people who downloaded this edition on February 20th,” the Linux Mint post continued. “If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.”
At the moment, it's not clear how powerful this particular backdoor is, but Yonathan Klijnsma, a senior threat intelligence analyst from cybersecurity company FoxIT tweeted that it was a run-of-the-mill IRC bot. The backdoor, according to the Linux Mint post, connects to “absentvodka.com,” and the hacked .ISOs are hosted on 22.214.171.124.
“Both lead to Sofia, Bulgaria, and the name of three people over there. We don’t know their roles in this, but if we ask for an investigation, this is where it will start,” the post continues. “What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.”
The backdoor is not the only thing Linux Mint users might have to worry about, though. An apparent copy of the site's database is for sale on The Real Deal, a recently relaunched marketplace on the so-called dark web. It's unknown what exactly the supposed database contains, and whether any passwords are hashed or in the clear, but the data is being sold for 0.1972 bitcoins, or around $85 at today's exchange rates.
Those possibly affected can check their .ISO of Linux Mint by comparing its MD5 hash. MD5 is one way of generating a cryptographic hash; that is, a unique series of characters that can be used to verify whether a piece of data has been tampered with. For example, the MD5 sum of “Go on, cook me up a hash,” is 458d73c2cfd2aa44b16dbd6d5377ce1e. If any part of that sentence was changed, the hash would be completely different.
Naturally, that also applies to any part of an operating system, allowing users to make sure whether they downloaded the legitimate version of Linux Mint or not, by comparing their hashes to those on the Linux Mint site (at the time of writing, the site is offline, however). And this is assuming that those MD5s haven't been tampered by the hackers too, of course.
Vigilant users would have already verified the .ISO file when they originally downloaded it. But, it seems that not everyone would do that, especially when the files were sourced from an ostensibly trust-worthy site. This episode should act as a crucial reminder that you should always double-check your downloads if possible, and especially those for operating systems.