Ukraine’s computer emergency response team (CERT-UA) has issued an alert on ongoing DDoS (distributed denial of service) attacks aimed at pro-Ukraine websites and the government’s portal. The threat actors are hacking WordPress sites and inserting malicious JavaScript code to carry out cyberattacks, which are still unknown.
These scripts are included in the HTML structure of the website’s primary files and base64-encoded to avoid detection. The code is executed on the website visitor’s device, directing their available computing capabilities to make an unusual number of requests to target the code’s declared objects (URLs). As a result, several target websites get overburdened with requests and become unreachable to their regular users.
All of this occurs without the owners or visitors of the hijacked sites ever noticing it, except for a few minor performance glitches for the latter. The following are some of the websites that have been targeted:
- kmu.gov.ua (Ukrainian government portal)
- edmo.eu (news portal)
- gngforum.ge (inaccessible)
- secjuice.com (infosec advice for Ukrainians)
- callrussia.org (project to raise awareness in Russia)
- liqpay.ua (inaccessible)
- gfis.org.ge (inaccessible)
- fightforua.org (international enlistment portal)
- war.ukraine.ua (news portal)
- playforukraine.org (play-based fundraiser)
- micro.com.ua (inaccessible)
- megmar.pl (Polish logistics firm)
- ntnu.no (Norwegian university site)
The above organizations and websites have taken a strong stance in support of Ukraine in the ongoing armed war with Russia, so their inclusion was not chosen at random. The roots of these attacks are still mostly unknown. A similar DDoS effort was launched in March, although this time targeted a smaller number of pro-Ukraine websites and Russian targets, using the same code.
The CERT-UA collaborates with the National Bank of Ukraine to put defensive measures in place in response to the DDoS attack. The agency has notified the owners, registrars, and hosting service providers of the affected websites, as well as provided advice on how to identify and remove the harmful JavaScript from their websites.
“To detect similar to the mentioned abnormal activity in the log files of the web server, you should pay attention to the events with the response code 404 and, if they are abnormal, correlate them with the values of the HTTP header “Referer”, which will contain the address of the web resource initiated a request,” advises CERT-UA.
At the moment, at least 36 websites have been proven to be sending malicious trash requests to the target URLs, although this list might alter or be renewed at any time. So, CERT-UA included a detection tool in the report to assist all website administrators in scanning their sites now and in the future. It’s also critical to keep the website’s content management systems (CMS) up to date, employ the most recent version of any active plugins, and limit access to its administrative pages.
