Ukraine targeted by DDoS attacks from compromised WordPress sites

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning announcement regarding ongoing DDoS (Distributed Denial of Service) attacks targeting pro-Ukrainian sites and the government web portal.

Threat actors, who remain unknown at this time, compromise WordPress sites and inject malicious JavaScript code to perform the attacks.

These scripts are placed in the HTML structure of the main website files and are base64 encoded to evade detection.

The code runs on the website visitor’s computer and directs its available computational resources to generate an abnormal number of attack requests for objects (URLs) defined in the code.

Malicious JS code details
Malicious JS code details (CERT-AU)

The result is that some of the target websites are overwhelmed with requests and hence made inaccessible to their regular visitors.

All of this happens without the owners or visitors of the compromised sites ever noticing, with the possible exception of some barely noticeable performance issues for the latter.

Some of the targeted websites are:

  • kmu.gov.ua (Ukrainian government portal)
  • callrussia.org (raising awareness project in Russia)
  • gngforum.ge (not accessible)
  • secjuice.com (infosec tips for Ukrainians)
  • liqpay.ua (not accessible)
  • gfis.org.ge (not accessible)
  • playforukraine.org (game-based fundraiser)
  • war.ukraine.ua (news portal)
  • micro.com.ua (not accessible)
  • fightforua.org (international recruitment portal)
  • edmo.eu (news portal)
  • ntnu.no (site of the Norwegian university)
  • megmar.pl (Polish logistics company)

The above entities and sites have taken a strong stance in favor of Ukraine in the ongoing military conflict with Russia, so they were not randomly selected. Yet, not much is known about the origins of these attacks.

In March, a similar DDoS campaign was conducted using the same script but against a smaller set of pro-Ukrainian websites, as well as against Russian targets.

Detection and Response

CERT-UA is working closely with the National Bank of Ukraine to put in place defensive measures against this DDoS campaign.

The agency notified owners, registrars, and hosting service providers of compromised websites of the situation and provided instructions on how to detect and remove malicious JavaScript from their sites.

“To detect abnormal activity similar to that mentioned in the web server log files, you should pay attention to events with response code 404 and, if abnormal, correlate them with HTTP header values “Referer”, which will contain the address of the web resource originating a request”, advises the CERT-UA.

Sign of compromise in the logs
Sign of compromise in the logs (CERT-AU)

Currently, at least 36 confirmed websites route malicious requests to the target URLs, but this list may change or be updated at any time.

For this reason, CERT-UA has included a detection tool in the report to help all website administrators analyze their sites now and in the future.

Additionally, it is important to keep your site’s content management systems (CMS) up to date, use the latest available version of all active plugins, and restrict access to website management pages. .