Hacked WordPress sites used for Ukrainian DDoS targets

The National Computer Emergency Response Team for Ukraine, CERT-UA, has warned of an ongoing Distributed Denial of Service (DDoS) attack.

Like BeepComputer reports, unknown threat actors are carrying out the raid with the help of WordPress sites infected with malicious JavaScript code.

The scripts are injected into the HTML structure of the main site files and are encoded with base64 encryption to stay out of sight. Therefore, each time a person visits the site, their extra computing power is used to create a large number of queries on the target URLs.

Political overtones

This is because website visitors are the bots that flood Ukrainian sites with too much traffic for the servers to handle, resulting in a denial of service.

What’s worse is that, aside from a barely noticeable performance issue on the visitor endpoint, the attack is nearly impossible to spot.

Some of the targeted websites include:

  • kmu.gov.ua
  • callrussia.org
  • gngforum.ge
  • secjuice.com
  • liqpay.ua
  • gfis.org.ge
  • playforukraine.org
  • war.ukraine.ua
  • micro.com.ua
  • combatforua.org
  • edmo.eu
  • ntnu.no
  • megmar.pl

Apparently, these websites have “taken a strong stance in favor of Ukraine” in the ongoing war with Russia, which is why they have been targeted.

Besides issuing the warning, CERT-UA also instructed compromised websites on how to detect and remove malicious JavaScript code from their premises.

“To detect abnormal activity similar to that mentioned in the web server log files, you should pay attention to events with response code 404 and, if abnormal, correlate them with HTTP header values ‘Referer’, which will contain the address of the web resource originating a request,” CERT-UA said.

At press time, there were 36 websites confirmed to carry the malicious code.

Via BleepingComputer

Comments are closed.