“It was reported that Linux Mint had their website compromised and the hackers managed to point links for their official “Cinnamon” edition to an alternative compromised version. The issue, as far as we can tell, does only extend to the ISO versions of the Mint distribution and not the repositories from which systems pull their updates. This means that everyone who installed Linux Mint from an ISO image downloaded through the link on the Linux Mint website, has a potentially back-doored version running. This can easily be identified by looking for the file /var/lib/man.cy, which is a backdoor that allows the attackers to interact with the system using IRC.
Once again we are reminded of what we need to do to make sure we use valid software, especially when we download it from the Internet:
Always prefer HTTPS vs HTTP for software downloads. Do verify the SSL certificate in case you are questioning the source.
Obtain the MD5/SHA1 checksums IF they can be obtained from a validated source. In this case, the attackers would’ve modified the checksums as well as the links to the images so if you obtained the checksums from the same site, this would’ve not triggered any warnings.
It is preferred to work from a known good image that you obtained a while ago and update/upgrade packages from there over quickly downloading a new ISO.”
Rapid7 security data and analytics software and services help organizations reduce the risk of a breach, detect and investigate attacks, and build effective IT security programs. With comprehensive real-time data collection, advanced correlation, and insight into attacker techniques, Rapid7 strengthens an organization’s ability to defend against everything from opportunistic drive-by attacks to advanced threats. Unlike traditional vulnerability management and incident detection technologies, Rapid7 provides visibility, monitoring, and insight across assets and users from the endpoint to the cloud. Dedicated to solving the toughest security challenges, Rapid7 offers proprietary capabilities to spot intruders leveraging today’s #1 attack vector: compromised credentials. Rapid7 is trusted by more than 3,700 organizations across 90 countries, including 30% of the Fortune 1000.