The official website of the Internet Systems Consortium (ISC) was hacked just before Christmas and set up to serve malware to visitors, researchers at security firm Cyphort reported.
ISC.org has been shut down after the organization was notified about the attack and the website has been down for maintenance ever since. Cyphort said it alerted ISC on December 22 and the site was cleaned up by the next day.
ISC’s website and blog are powered by WordPress. The attackers modified the homepage of isc.org so that its visitors were redirected to a server hosting the Angler exploit kit, researcher said.
The exploit kit was set up to leverage vulnerabilities in Internet Explorer, Flash and Microsoft Silverlight to push malware onto visitors’ systems.
In this particular attack, Angler injected the malicious code directly into the victim machine’s memory. This variant of the exploit kit was first spotted this summer by the French malware researcher know as “Kafeine.”
Attacks targeting ISC can have serious consequences because the organization is responsible for the development of BIND, the most widely used Domain Name System (DNS) software. ISC also operates one of the 13 Internet root name servers. However, the organization says damage appears to be limited to its website; other resources are not affected.
“Our website runs on a separate machine, isolated from the rest of our infrastructure, and no critical information was lost or other systems compromised. The web site virus had no impact on our ftp server, our source code archives, our f-root server, our internal network, or any other ISC infrastructure or systems,” ISC representatives told SecurityWeek.
The organization says targeted attacks against its systems are not uncommon, but this doesn’t appear to be the case.
“Like many small businesses, we operate a small website using WordPress. Our WordPress installation was compromised and became infected. Our current theory is that we were using a compromised WordPress plug-in that installed a backdoor, but we do not know for sure how the backdoor was installed. Our theory is mostly based on the information that Sucuri.net has published about a WordPress vulnerability called ‘soaksoak‘,” ISC explained.
ISC is advising users who visited the site recently to scan their computers for malware.
“We have not had any reports of any client machines that have been infected from our website. If you believe you have caught a virus from our web site, please let us know, by email to security-officer@isc.org,” ISC said on its website.
Until the website is restored, BIND and ISC DHCP can be downloaded from the organization’s FTP server. ISC has also provided users with information on how to check the integrity of downloaded files.
“Our site will be back up this week. We are rebuilding the website from scratch. We did a fresh install of WordPress, with tighter security settings. An engineer is manually inspecting all our content for anything that should not be there. This is quite a time-consuming process, but we think it is the only way to ensure that there are no backdoors or malicious files,” ISC representatives said.
Earlier this month, ISC released updates to address several remotely exploitable vulnerabilities in BIND. One of the security bugs, which affected multiple DNS resolvers, was discovered by Florian Maury of the French government information security agency ANSSI, and it could have been exploited to cause the software to crash.
ISC is not the only high-profile Internet organization hacked this month. The Internet Corporation for Assigned Names and Numbers (ICANN) suffered a data breach after its employees fell victim to a spear phishing attack.
*Updated with clarifications from ISC