Hackers are infecting WordPress sites with malicious scripts that leverage users’ browsers to launch distributed denial-of-service attacks against Ukrainian websites. MalwareHunterTeam recently identified a WordPress site that had been hacked to employ this script. It was used to launch DDoS attacks on 10 different websites.
Websites of Ukrainian government institutions, think tanks, recruiting sites for the International Legion of Defense of Ukraine, banking sites, and other pro-Ukraine websites are included. The following websites have been targeted:
· https://stop-russian-desinformation.near.page
· http://93.79.82.132/
· https://gfsis.org/
· https://kordon.io/
· http://195.66.140.252/
· https://bank.gov.ua/
· https://war.ukraine.ua/
· https://www.fightforua.org/
· https://edmo.eu
· https://liqpay.ua
When the JavaScript is loaded, it forces the visitor’s browser to make HTTP GET requests to each specified site, with no more than 1,000 simultaneous connections. The DDoS attacks occur in the background, with the user noticing a slowdown on their browser. This allows the scripts to launch DDoS assaults while the visitor is completely ignorant that their browser has been hijacked.
Every request to the targeted sites will include a random query string, ensuring that the request is not cached by a caching provider like Cloudflare or Akamai and is delivered straight to the server under attack. For instance, the DDoS script will create requests like these in the access logs of a web server:
· “GET /?17.650025158868488 HTTP/1.1”
· “GET /?932.8529889504794 HTTP/1.1”
· “GET /?71.59119445542395 HTTP/1.1”
Security experts could find only a few websites infected by this DDoS script. But the developer Andrii Savchenko disclosed that hundreds of WordPress sites had been hijacked to carry out these attacks. “There’s about hundred of them actually. All through the WP vulns. Unfortunately, many providers/owners doesn’t react,” tweeted Savchenko.
When looking for more infected sites using the script, it was discovered that the same script is employed by a pro-Ukrainian website, https://stop-russian-desinformation.near.page, which launches attacks against Russian websites. Users’ browsers are exploited to launch DDoS attacks against 67 Russian websites when they visit the site.
While this site states that it would exploit users’ browsers to launch DDoS attacks on Russian websites, the scripts are used without the knowledge of the website owners or visitors.
