The Internet Systems Consortium (ISC) website – a WordPress site – was quickly taken down last week after researchers at Cyphort Labs notified the open source software provider that its main page had been modified and was ultimately redirecting visitors to the Angler Exploit Kit.
In a Monday email correspondence, Victoria Risk, director of marketing at ISC, told SCMagazine.com that ISC is not certain how its website was compromised, but the organization suspects it was through a vulnerable plugin – possibly the Slider Revolution plugin, which was being exploited recently in what is referred to as the ‘SoakSoak‘ attacks.
“We of course read up on WordPress vulnerabilities, and read about the [SoakSoak] problem that Sucuri had published,” Risk said. “We had already removed and deleted the supposed bad plug-in by the time this Angler Exploit infection was discovered, but it is possible that the earlier compromised plug-in had already installed a back-door by the time we removed it.”
ISC does not believe it was targeted specifically, according to Risk. She said that the organization is now redirecting visitors to other static servers where people can access all ISC resources, and she explained that ISC is rebuilding the entire website from scratch.
“We did a fresh install of WordPress, with tighter security settings,” Risk said. “An engineer is manually inspecting all our content for anything that should not be there. This is quite a time-consuming process, but we think it is the only way to ensure that there are no more backdoors or malicious files.”
Risk added, “Going forward, we will also have to devote more resources to maintaining WordPress, which is a burden for a small organization like ours. After we have had a chance to assess our options, we may migrate to a different platform.”
Cyphort Labs notified ISC of the issue on Dec. 22 and the following day ISC began taking steps to address the threat, according to a Tuesday post, which explains that researchers observed the Angler Exploit Kit targeting Internet Explorer, Flash and Silverlight vulnerabilities.
“If exploitation is successful, the exploit will continue to download and execute a malicious binary in-memory,” according to the post.
Risk said that only the ISC website was compromised and nothing more.
“All our releases remain cryptographically signed, and checksummed, and are actually distributed via ftp.isc.org, which is a completely different system [that] houses no dynamic content,” Risk said, going on to add, “The [threat] had no impact on our ftp server, our source code archives, our F-root server or any other ISC infrastructure.”
Cyphort Labs is still in the process of analyzing the threat, according to the post. A Cyphort Labs researcher was not available on Monday to provide additional information to SCMagazine.com.