Hackers are infecting WordPress sites with malicious scripts that leverage users’ browsers to launch distributed denial-of-service attacks against Ukrainian websites. MalwareHunterTeam recently identified a WordPress site that had been hacked to employ this script. It was used to launch DDoS attacks on 10 different websites.
Websites of Ukrainian government institutions, think tanks, recruiting sites for the International Legion of Defense of Ukraine, banking sites, and other pro-Ukraine websites are included. The following websites have been targeted:
Every request to the targeted sites will include a random query string, ensuring that the request is not cached by a caching provider like Cloudflare or Akamai and is delivered straight to the server under attack. For instance, the DDoS script will create requests like these in the access logs of a web server:
· “GET /?17.650025158868488 HTTP/1.1”
· “GET /?932.8529889504794 HTTP/1.1”
· “GET /?71.59119445542395 HTTP/1.1”
Security experts could find only a few websites infected by this DDoS script. But the developer Andrii Savchenko disclosed that hundreds of WordPress sites had been hijacked to carry out these attacks. “There’s about hundred of them actually. All through the WP vulns. Unfortunately, many providers/owners doesn’t react,” tweeted Savchenko.
When looking for more infected sites using the script, it was discovered that the same script is employed by a pro-Ukrainian website, https://stop-russian-desinformation.near.page, which launches attacks against Russian websites. Users’ browsers are exploited to launch DDoS attacks against 67 Russian websites when they visit the site.
While this site states that it would exploit users’ browsers to launch DDoS attacks on Russian websites, the scripts are used without the knowledge of the website owners or visitors.