DDoS

Hackers are compromising WordPress sites to insert a malicious script that uses visitors' browsers to perform distributed denial-of-service attacks on Ukrainian websites.

Today, MalwareHunterTeam discovered a WordPress site compromised to use this script, targeting ten websites with Distributed Denial of Service (DDoS) attacks.

These websites include Ukrainian government agencies, think tanks, recruitment sites for the International Legion of Defense of Ukraine, financial sites, and other pro-Ukrainian sites.

The complete list of targeted websites is below:

https://stop-russian-desinformation.near.page
https://gfsis.org/
http://93.79.82.132/
http://195.66.140.252/
https://kordon.io/
https://war.ukraine.ua/
https://www.fightforua.org/
https://bank.gov.ua/
https://liqpay.ua
https://edmo.eu

When loaded, the JavaScript will force the visitor's browser to perform HTTP GET requests to each of the listed sites, with no more 1,000 concurrent connections at a time.

The DDoS attacks will occur in the background without the user knowing it's happening, other than a slow down of their browser.

This allows the scripts to perform the DDoS attacks while the visitor is unaware that their browser has been coopted for an attack.

Each request to the targeted websites will utilize a random query string so that the request is not served through a caching service, such as Cloudflare or Akamai, and is directly received by the server being attacked.

For example, the DDoS script will generate requests like the following in a web server's access logs:

"GET /?17.650025158868488 HTTP/1.1"
"GET /?932.8529889504794 HTTP/1.1"
"GET /?71.59119445542395 HTTP/1.1"

BleepingComputer has only been able to find a few sites infected with this DDoS script. However, developer Andrii Savchenko states that hundreds of WordPress sites are compromised to conduct these attacks.

"There's about hundred of them actually. All through the WP vulns. Unfortunately, many providers/owners doesn't react," tweeted Savchenko.

Avast also saw the same script on compromised websites as far back as March 7th.

When researching the script to find other infected sites, BleepingComputer discovered that the same script, which was shared on GitHub, is being used by the pro-Ukrainian site, https://stop-russian-desinformation.near.page. However, this website is used to conduct attacks on Russian targets.

When visiting the site, users' browsers are used to conduct DDoS attacks on 67 Russian websites.

While this site clarifies that it will use visitors' browsers to conduct DDoS attacks against Russian websites, the compromised WordPress sites use the scripts without the website owners' or their visitors' knowledge.

Related Articles:

Multiple botnets exploiting one-year-old TP-Link flaw to hack routers

Hackers deploy crypto drainers on thousands of WordPress sites

Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks

New HTTP/2 DoS attack can crash web servers with a single connection

Critical flaw in LayerSlider WordPress plugin impacts 1 million sites