Hacked WordPress Sites Force Visitors to DDoS Ukrainian Targets
Hackers are compromising WordPress sites to insert a malicious script that uses visitors’ browsers to perform distributed denial-of-service attacks on Ukrainian websites.
Today, MalwareHunterTeam discovered a WordPress site compromised to use this script, targeting ten websites with Distributed Denial of Service (DDoS) attacks.
These websites include Ukrainian government agencies, think tanks, recruitment sites for the International Legion of Defense of Ukraine, financial sites, and other pro-Ukrainian sites.
The complete list of targeted websites is below:
https://stop-russian-desinformation.near.page https://gfsis.org/ http://18.104.22.168/ http://22.214.171.124/ https://kordon.io/ https://war.ukraine.ua/ https://www.fightforua.org/ https://bank.gov.ua/ https://liqpay.ua https://edmo.eu
The DDoS attacks will occur in the background without the user knowing it’s happening, other than a slow down of their browser.
This allows the scripts to perform the DDoS attacks while the visitor is unaware that their browser has been coopted for an attack.
Each request to the targeted websites will utilize a random query string so that the request is not served through a caching service, such as Cloudflare or Akamai, and is directly received by the server being attacked.
For example, the DDoS script will generate requests like the following in a web server’s access logs:
"GET /?17.650025158868488 HTTP/1.1" "GET /?932.8529889504794 HTTP/1.1" "GET /?71.59119445542395 HTTP/1.1"
BleepingComputer has only been able to find a few sites infected with this DDoS script. However, developer Andrii Savchenko states that hundreds of WordPress sites are compromised to conduct these attacks.
“There’s about hundred of them actually. All through the WP vulns. Unfortunately, many providers/owners doesn’t react,” tweeted Savchenko.
When researching the script to find other infected sites, BleepingComputer discovered that the same script is being used by the pro-Ukrainian site, https://stop-russian-desinformation.near.page, which is used to conduct attacks on Russian websites.
When visiting the site, users’ browsers are used to conduct DDoS attacks on 67 Russian websites.
While this site clarifies that it will use visitors’ browsers to conduct DDoS attacks against Russian websites, the compromised WordPress sites use the scripts without the website owners’ or their visitors’ knowledge.