CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

ISC Website Served Malware Following Hack Attack

The official website of the Internet Systems Consortium (ISC) was hacked just before Christmas and set up to serve malware to visitors, researchers at security firm Cyphort reported.

The official website of the Internet Systems Consortium (ISC) was hacked just before Christmas and set up to serve malware to visitors, researchers at security firm Cyphort reported.

ISC.org has been shut down after the organization was notified about the attack and the website has been down for maintenance ever since. Cyphort said it alerted ISC on December 22 and the site was cleaned up by the next day.

ISC’s website and blog are powered by WordPress. The attackers modified the homepage of isc.org so that its visitors were redirected to a server hosting the Angler exploit kit, researcher said.

The exploit kit was set up to leverage vulnerabilities in Internet Explorer, Flash and Microsoft Silverlight to push malware onto visitors’ systems.

In this particular attack, Angler injected the malicious code directly into the victim machine’s memory. This variant of the exploit kit was first spotted this summer by the French malware researcher know as “Kafeine.”

Attacks targeting ISC can have serious consequences because the organization is responsible for the development of BIND, the most widely used Domain Name System (DNS) software. ISC also operates one of the 13 Internet root name servers. However, the organization says damage appears to be limited to its website; other resources are not affected.

“Our website runs on a separate machine, isolated from the rest of our infrastructure, and no critical information was lost or other systems compromised. The web site virus had no impact on our ftp server, our source code archives, our f-root server, our internal network, or any other ISC infrastructure or systems,” ISC representatives told SecurityWeek.

The organization says targeted attacks against its systems are not uncommon, but this doesn’t appear to be the case.

Advertisement. Scroll to continue reading.

“Like many small businesses, we operate a small website using WordPress. Our WordPress installation was compromised and became infected. Our current theory is that we were using a compromised WordPress plug-in that installed a backdoor, but we do not know for sure how the backdoor was installed. Our theory is mostly based on the information that Sucuri.net has published about a WordPress vulnerability called ‘soaksoak‘,” ISC explained.

ISC is advising users who visited the site recently to scan their computers for malware.

“We have not had any reports of any client machines that have been infected from our website. If you believe you have caught a virus from our web site, please let us know, by email to [email protected],” ISC said on its website.

Until the website is restored, BIND and ISC DHCP can be downloaded from the organization’s FTP server. ISC has also provided users with information on how to check the integrity of downloaded files.

“Our site will be back up this week. We are rebuilding the website from scratch. We did a fresh install of WordPress, with tighter security settings. An engineer is manually inspecting all our content for anything that should not be there. This is quite a time-consuming process, but we think it is the only way to ensure that there are no backdoors or malicious files,” ISC representatives said.

Earlier this month, ISC released updates to address several remotely exploitable vulnerabilities in BIND. One of the security bugs, which affected multiple DNS resolvers, was discovered by Florian Maury of the French government information security agency ANSSI, and it could have been exploited to cause the software to crash.

ISC is not the only high-profile Internet organization hacked this month. The Internet Corporation for Assigned Names and Numbers (ICANN) suffered a data breach after its employees fell victim to a spear phishing attack.

*Updated with clarifications from ISC

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.