Ukraine’s computer emergency response team (CERT-UA) has published an announcement warning of ongoing DDoS (distributed denial of service) attacks targeting pro-Ukraine sites and the government web portal.
The threat actors, who at this time remain unknown, are compromising WordPress sites and injecting malicious JavaScript code to perform the attacks.
These scripts are placed in the HTML structure of the main files of the website and are base64-encoded to evade detection.
The code runs on the website visitor’s computer and directs their available computational resources to generate an abnormal number of requests to attack objects (URLs) defined in the code.
The result is that some of the target websites are overwhelmed by the requests and, as a result, rendered inaccessible to their regular visitors.
This all happens without the owners or the visitors of the compromised sites ever realizing it, except for maybe some barely noticeable performance hiccups for the latter.
Some of the targeted websites are:
kmu.gov.ua (Ukrainian government portal)
callrussia.org (project to raise awareness in Russia)
gngforum.ge (inaccessible)
secjuice.com (infosec advice for Ukrainians)
liqpay.ua (inaccessible)
gfis.org.ge (inaccessible)
playforukraine.org (play-based fundraiser)
war.ukraine.ua (news portal)
micro.com.ua (inaccessible)
fightforua.org (international enlistment portal)
edmo.eu (news portal)
ntnu.no (Norwegian university site)
megmar.pl (Polish logistics firm)
The above entities and sites have taken a strong stance in favor of Ukraine in the ongoing military conflict with Russia, so they were not selected randomly. Still, not much is known about the origins of these attacks.
In March, a similar DDoS campaign was conducted using the same script but against a smaller set of pro-Ukrainian websites, as well as against Russian targets.
Detection and response
The CERT-UA is working closely with the National Bank of Ukraine to implement defensive measures against this DDoS campaign.
The agency has informed the owners, registrars, and hosting service providers of the compromised websites of the situation and has provided instructions on how to detect and remove the malicious JavaScript from their sites.
“To detect similar to the mentioned abnormal activity in the log files of the web server, you should pay attention to the events with the response code 404 and, if they are abnormal, correlate them with the values of the HTTP header “Referer”, which will contain the address of the web resource initiated a request,” advises CERT-UA.
At this time, at least 36 confirmed websites are channeling malicious garbage requests to the target URLs, but this list could change or be refreshed at any time.
For this reason, CERT-UA has included a detection tool in the report to help all website administrators scan their sites now and in the future.
Additionally, it’s important to keep your site’s content management systems (CMS) up to date, use the latest available version of any active plugins, and restrict access to the website management pages.