The Xubuntu team has shared details on last month’s worrying website hijack, pinpointing how the attack happened and the steps its taking to prevent a repeat.
As detailed in our coverage back in October, the official Xubuntu download page began serving a malicious .zip file to users attempting to download the official torrent on October 15.
Though the dodgy download link was quickly detected and dealt with, but questions raised as to how it was able to happen in the first place and whether any other downloads were impacted.
Today the Xubuntu team has answers from an incident report given to it by the Canonical Security team.
How Xubuntu’s website was hijacked
Xubuntu team members Elizabeth K. Joseph, Pasi Lallinaho and Sean Davis say in their post-mortem that the breach was isolated to the Xubuntu.org website itself.
Their website runs on WordPress, and is maintained by Canonical rather than themselves.
In mid-October, a malicious actor — not the Jared Leto variety — brute-forced a ‘vulnerable component’ in the WordPress installation.
Code injection replaced Xubuntu’s legitimate torrent links to instead download a compromised ZIP file.
Inside of the dodgy ZIP? A Windows executable (.exe) containing malware that, according to Reddit sleuths who dissected it at the time, was intended to intercept cryptocurrency accounts links a user copied to their clipboard.
That ZIP aside, nothing else was accessed, affected or interfered with on the website, or linked infrastructure:
- Safe:
cdimages.ubuntu.comand official repositories - Safe: Official ISO/sync mirrors
- Safe: Xubuntu build systems and packages
- Safe: Your installed version of Xubuntu
As soon as the malware was flagged, Canonical’s security team locked down the Xubuntu website and disabled torrent links to contain the spread.
Though the blast radius was mercifully minimal, the team acknowledges the incident itself was a ‘serious breach of trust’ and says it is ‘incredibly sorry for the impact it caused’.
“We took this all very seriously and have taken a close look at how we manage our online presence and what steps we can take as a team to prevent this sort of thing in the future.”
Canonical’s security team worked to identify the method used to obtain unauthorised access, remove malicious code and injected files, roll back to a last-known good state, and harden the WordPress install.
Is that enough?
Website Switch from WordPress to Hugo
Xubuntu is keen to prevent history repeating itself. Its official website may be all-clear of ill-wares but is plans to migrate from WordPress to Hugo, a static site generator. The move will ‘eliminate the type of attack vector taken advantage of’.
Plans to revamp its web presence had been in the offing for some time, but the security incident has given them some impetus to get on and do it.
Community Stars
If there’s a bright side to this, it’s from the stars in the Xubuntu community who came together to help protect and warn each other – from noticing and reporting the issue in the first place, to sharing checksums and alternative download links with concerned users.
“This is the community we all love being a part of,” the team say, noting there was an “outpouring of support and reassurance from many people who were doing what they could to keep us all safe from malicious downloads.”
What’s Next?
Security snafu sorted, and slick new static website coming soon, Xubuntu’s developers are shifting their focus back to the code — there’s a new Long-Term Support (LTS) release on the way, after all!
Xubuntu is actively seeking new contributors – you don’t need to be a security expert to help out, as tasks like documentation, testing, and community support are valuable contributions too. See the Xubuntu Contribute page to learn more.
Thanks Pleia2