Hundreds of Linux machines backdoored, as the hacker’s botnet is still operational

In our previous article, we had reported how the Linux Mint website was hacked that tricked users into downloading a fake Linux Mint ISO with a backdoor.

Well now, in an encrypted chat on Sunday, the person responsible for the hack, who goes by the name “Peace,” told ZDNet that a “few hundred” Linux Mint installs were under their control, which turns out to be a substantial portion of the thousand-plus downloads during the day.

Peace also went on to state that a complete copy of the site’s forum was stolen by him twice: the first one on January 28, and the second one which was the most recent on February 18, just two days before the hack was established.

The hack affected not only the forum usernames, but also passwords (encrypted), email addresses, birthdates, profile pictures, any information in the signature and any information posted on forums, including private messages and private topics. The hacker claims to have cracked some of the passwords already with many more to be cracked in the pipeline. (It’s assumed that the site used PHPass to hash the passwords, which can be cracked.)

Clement Lefebvre, leader of the Linux Mint project confirmed on Sunday that the forum had been breached. He said “It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.”

In fact, the hacker had put the forum database (Linuxmint.com shell, php mailer, and full forum dump) on a dark web marketplace for sale for a meagre amount of $85 (about 0.197 bitcoin).

Confirming that the listing was theirs, Peace said jokingly, “Well, I need $85.”

On Sunday, it was announced that about 71,000 accounts (which is less than half of all accounts included in the database) were loaded into breach notification site HaveIBeenPwned. If you think you may have been affected by the breach, you can search its database for your email address.

While Peace said that they lived in Europe and had no association to hacking groups, he refused to provide information such as their name, age, or gender.

In January, Peace was “just poking around” the site when they discovered a vulnerability that allowed them to access it without any authorization. (The hacker also mentioned that they had credentials to log in to the site’s admin panel as Lefebvre, however, was hesitant to describe how it turned out to be useful again.) The hacker then on Saturday swapped one of the 64-bit Linux distribution images (ISO) with one that was modified by adding a backdoor, and afterwards made a decision to “replace all mirrors” for every downloadable version of Linux on the site with a modified version of their own.

The hacker said that as the code is open-source, the backdoored version is not that hard as one would think. It just took them just a few hours to repack a Linux version that contained the backdoor.

The files were then uploaded to a file server situated in Bulgaria by the hacker, which took the longest “because of slow bandwidth.”

The best way to get users to download the backdoored version on the website is by changing the checksum (used to authenticate the reliability of a file) on the website with the checksum of the backdoored version.

The hacker said, “Who the f**k checks those anyway?”

Known to work alone, the hacker in the past has provided private exploit services for known susceptibilities services on private marketplace sites that they are connected to.

The first hacking episode began in late January, but increased when they “started spreading the backdoored images early morning [Saturday],” the hacker said.