On Sunday, the Linux Mint team informed the world through its blog that hackers had managed to compromise Linux Mint's download pages, so that the download link for Linux Mint 17.3 Cinnamon edition would point to a phony mirror which hosted an infected version of the operating system. The malicious ISO contained a backdoor known as TSUNAMI which makes it possible for a hacker to add infected computers to a botnet.
The TSUNAMI detection update came as part of mintUpdate 18.104.22.168, which was pushed out to Mint users on Tuesday. Rather than removing the backdoor, the patch just does a check for suspect files, if any are found the user is told their machine is infected by TSUNAMI and that they should go offline immediately, re-download Linux Mint and completely re-install it.
After the news regarding the malicious ISOs, the Mint team took to their blog again to notify users that the forums had been compromised too. Data leaked in that attack includes: avatars, dates of birth, email addresses, geographic location, IP addresses, passwords (encrypted, but potentially crackable via brute-force attacks), time zones, website activity. Unfortunately, these details have appeared online for sale.
Regarding the forum attacks, users should change their passwords on other sites where the same password has been used. Clem Lefebvre, founder of Mint, recommends that users should change their email password first and that passwords shouldn't be the same of different websites. To check if you're affected by this hack, pop your email into the search on 'Have I been pwned' which will tell you if your data was stolen.
The attacks have been a wake up call for the Linux Mint developers and its community. An immediate step that will be taking place soon - but wouldn't have mitigated this attack - is the switch to HTTPS on Linux Mint website. This will protect users on their end but does nothing to stop site intrusions. Others have pointed out that the Wordpress login page (which the Mint site uses) is in its default location and should be moved and restricted so that only authorised people can gain access to it.
The Linux Mint site is online as of writing, with all links fixed. The Mint forums are still offline.
Update: The Linux Mint forums are now back online with more security implemented.
Image via DeviantArt (calexil)