Hacked WordPress sites used to DDoS Ukrainian targets

(Image credit: Shutterstock / Aleksandra Gigowska)

The national Computer Emergency Response Team for Ukraine, CERT-UA, has warned of an ongoing distributed denial of service (DDoS) attack against.

As BleepingComputer reports, unknown threat actors are conducting the raid with the help of WordPress sites infected with malicious JavaScript code.

The scripts are injected into the HTML structure of the site’s main files, and are encoded with base64 encryption to remain out of sight. Therefore, whenever someone visits the site, their extra computing power is used to create a large number of requests against target URLs.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Political connotations 

In effect, the website visitors are the bots flooding Ukrainian sites with too much traffic for the servers to handle, resulting in the denial of service.

The worst part is, apart from a barely noticeable performance issue on the visitor’s endpoint, the attack is almost impossible to spot. 

Some of the websites targeted include: 

  • kmu.gov.ua 
  • callrussia.org 
  • gngforum.ge 
  • secjuice.com 
  • liqpay.ua 
  • gfis.org.ge 
  • playforukraine.org 
  • war.ukraine.ua 
  • micro.com.ua 
  • fightforua.org
  • edmo.eu 
  • ntnu.no 
  • megmar.pl

Allegedly, these websites have “taken a strong stance in favor of Ukraine” in the ongoing war with Russia, which is why they were targeted. 

Besides issuing the warning, CERT-UA has also instructed compromised websites on how to detect, and remove, the malicious JavaScript code from their premises.

"To detect similar to the mentioned abnormal activity in the log files of the web server, you should pay attention to the events with the response code 404 and, if they are abnormal, correlate them with the values of the HTTP header 'Referer', which will contain the address of the web resource initiated a request," CERT-UA said.

At press time, there were 36 websites confirmed to be carrying the malicious code.

Via BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.