Ukraine’s computer emergency response team (CERT-UA) has issued an alert on ongoing DDoS (distributed denial of service) attacks aimed at pro-Ukraine websites and the government’s website.
The threat actors are compromising WordPress sites and injecting malicious JavaScript code to carry out the attacks, which are still unknown.
To avoid detection, these scripts are included in the HTML structure of the website’s primary files and base64-encoded.
The code runs on the computer of the website visitor, directing their available computational capabilities to make an unusual amount of requests to target the code’s defined objects (URLs).
As a result, several of the target websites get overburdened with requests and become unreachable to their regular visitors.
All of this occurs without the owners or visitors of the hijacked sites ever noticing it, with the exception of a few minor performance glitches for the latter.
The following are some of the websites that have been targeted:
- kmu.gov.ua is a Ukrainian government website (Ukrainian government portal)
- callrussia.org (in Russia, a project to increase awareness)
- gngforum.ge (inaccessible)
- www.secretjuice.com (infosec advice for Ukrainians)
- liqpay.ua liqpay.ua liqpay.u (inaccessible)
- gfis.org.ge gfis.org.ge gfis.org (inaccessible)
- playforukraine.org (Fundraiser based on a play)
- war.ukraine.ua is a website dedicated to the conflict in Ukraine (news portal)
- micro.com.ua is a website in Ukraine (inaccessible)
- fightforua.org is a website dedicated to fighting for the United Arab Emirates (international enlistment portal)
- edmo.eu edmo.eu edmo.e (news portal)
- ntnu.no ntnu.no ntnu.n (Norwegian university site)
- www.megmar.pl (Polish logistics firm)
The aforementioned organizations and websites have taken a strong stance in support of Ukraine in the ongoing armed war with Russia, therefore their inclusion was not chosen at random. The roots of these attacks are still mostly unknown.
A similar DDoS campaign was launched in March, but this time targeted a smaller number of pro-Ukraine websites as well as Russian targets, using the same software.
Detection and retaliation for DDOS attack
The CERT-UA is collaborating with the National Bank of Ukraine to put defensive measures in place in response to the DDoS attack.
The agency has notified the owners, registrars, and hosting service providers of the affected websites, as well as providing advice on how to identify and remove the malicious JavaScript from their sites.
“To detect similar abnormal activity in the web server log files,” advises CERT-UA, “pay attention to events with the response code 404 and, if they are abnormal, correlate them with the values of the HTTP header “Referrer,” which will contain the address of the web resource that initiated a request.”
At the moment, at least 36 websites have been proven to be sending malicious garbage requests to the target URLs, although this list could alter or be renewed at any time.
As a result, CERT-UA has included in the report a detection tool to assist all website administrators in scanning their sites now and in the future.
It’s also critical to keep your website’s content management systems (CMS) up to date, to utilize the most recent version of any active plugins, and to limit access to the website administrative pages.
