The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning announcement regarding ongoing DDoS (Distributed Denial of Service) attacks targeting pro-Ukrainian sites and the government web portal.
These scripts are placed in the HTML structure of the main website files and are base64 encoded to evade detection.
The code runs on the website visitor’s computer and directs its available computational resources to generate an abnormal number of attack requests for objects (URLs) defined in the code.
The result is that some of the target websites are overwhelmed with requests and hence made inaccessible to their regular visitors.
All of this happens without the owners or visitors of the compromised sites ever noticing, with the possible exception of some barely noticeable performance issues for the latter.
Some of the targeted websites are:
- kmu.gov.ua (Ukrainian government portal)
- callrussia.org (raising awareness project in Russia)
- gngforum.ge (not accessible)
- secjuice.com (infosec tips for Ukrainians)
- liqpay.ua (not accessible)
- gfis.org.ge (not accessible)
- playforukraine.org (game-based fundraiser)
- war.ukraine.ua (news portal)
- micro.com.ua (not accessible)
- fightforua.org (international recruitment portal)
- edmo.eu (news portal)
- ntnu.no (site of the Norwegian university)
- megmar.pl (Polish logistics company)
The above entities and sites have taken a strong stance in favor of Ukraine in the ongoing military conflict with Russia, so they were not randomly selected. Yet, not much is known about the origins of these attacks.
In March, a similar DDoS campaign was conducted using the same script but against a smaller set of pro-Ukrainian websites, as well as against Russian targets.
Detection and Response
CERT-UA is working closely with the National Bank of Ukraine to put in place defensive measures against this DDoS campaign.
“To detect abnormal activity similar to that mentioned in the web server log files, you should pay attention to events with response code 404 and, if abnormal, correlate them with HTTP header values “Referer”, which will contain the address of the web resource originating a request”, advises the CERT-UA.
Currently, at least 36 confirmed websites route malicious requests to the target URLs, but this list may change or be updated at any time.
For this reason, CERT-UA has included a detection tool in the report to help all website administrators analyze their sites now and in the future.
Additionally, it is important to keep your site’s content management systems (CMS) up to date, use the latest available version of all active plugins, and restrict access to website management pages. .