Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

ISC Website Served Malware Following Hack Attack

The official website of the Internet Systems Consortium (ISC) was hacked just before Christmas and set up to serve malware to visitors, researchers at security firm Cyphort reported.

The official website of the Internet Systems Consortium (ISC) was hacked just before Christmas and set up to serve malware to visitors, researchers at security firm Cyphort reported. has been shut down after the organization was notified about the attack and the website has been down for maintenance ever since. Cyphort said it alerted ISC on December 22 and the site was cleaned up by the next day.

ISC’s website and blog are powered by WordPress. The attackers modified the homepage of so that its visitors were redirected to a server hosting the Angler exploit kit, researcher said.

The exploit kit was set up to leverage vulnerabilities in Internet Explorer, Flash and Microsoft Silverlight to push malware onto visitors’ systems.

In this particular attack, Angler injected the malicious code directly into the victim machine’s memory. This variant of the exploit kit was first spotted this summer by the French malware researcher know as “Kafeine.”

Attacks targeting ISC can have serious consequences because the organization is responsible for the development of BIND, the most widely used Domain Name System (DNS) software. ISC also operates one of the 13 Internet root name servers. However, the organization says damage appears to be limited to its website; other resources are not affected.

“Our website runs on a separate machine, isolated from the rest of our infrastructure, and no critical information was lost or other systems compromised. The web site virus had no impact on our ftp server, our source code archives, our f-root server, our internal network, or any other ISC infrastructure or systems,” ISC representatives told SecurityWeek.

The organization says targeted attacks against its systems are not uncommon, but this doesn’t appear to be the case.

“Like many small businesses, we operate a small website using WordPress. Our WordPress installation was compromised and became infected. Our current theory is that we were using a compromised WordPress plug-in that installed a backdoor, but we do not know for sure how the backdoor was installed. Our theory is mostly based on the information that has published about a WordPress vulnerability called ‘soaksoak‘,” ISC explained.

ISC is advising users who visited the site recently to scan their computers for malware.

“We have not had any reports of any client machines that have been infected from our website. If you believe you have caught a virus from our web site, please let us know, by email to [email protected],” ISC said on its website.

Until the website is restored, BIND and ISC DHCP can be downloaded from the organization’s FTP server. ISC has also provided users with information on how to check the integrity of downloaded files.

“Our site will be back up this week. We are rebuilding the website from scratch. We did a fresh install of WordPress, with tighter security settings. An engineer is manually inspecting all our content for anything that should not be there. This is quite a time-consuming process, but we think it is the only way to ensure that there are no backdoors or malicious files,” ISC representatives said.

Earlier this month, ISC released updates to address several remotely exploitable vulnerabilities in BIND. One of the security bugs, which affected multiple DNS resolvers, was discovered by Florian Maury of the French government information security agency ANSSI, and it could have been exploited to cause the software to crash.

ISC is not the only high-profile Internet organization hacked this month. The Internet Corporation for Assigned Names and Numbers (ICANN) suffered a data breach after its employees fell victim to a spear phishing attack.

*Updated with clarifications from ISC

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.