Hackers are compromising WordPress sites to insert a malicious script that uses visitors' browsers to perform distributed denial-of-service attacks on Ukrainian websites.
This week, MalwareHunterTeam discovered a WordPress site compromised to use this script, targeting ten websites with Distributed Denial of Service (DDoS) attacks.
These websites include Ukrainian government agencies, think tanks, recruitment sites for the International Legion of Defense of Ukraine, financial sites, and other pro-Ukrainian sites.
Analyst comments:
The script is written in JavaScript. Once loaded, it will force the visitor’s browser to perform HTTP GET requests to each of the targeted websites, with no more than 1,000 concurrent connections at a time. The DDoS attacks occur in the background without the user knowing it’s happening, other than a slow down on their browser. This allows the script to perform the DDoS attacks while the visitor is unaware that their browser has been coopted for an attack. What makes this script potent is that each request generated for the targeted websites will utilize a random query string. This makes it so that the request is not served through a caching service such as Cloudflare or Akamai, but rather it is directly received by the server being attacked. As a result, this takes a greater toll on the server’s resources and slows down the total load time for the targeted websites.
Mitigation:
Attackers are compromising these WordPress websites by exploiting unpatched vulnerabilities. Since WordPress doesn’t automatically install updates, it is the responsibility of website owners to consistently monitor for security updates and apply these patches in a timely manner. Many WordPress website owners forget to change the default settings after creating an account. For example, the administrator account for WordPress comes with the default “admin” username. If left unchanged, threat actors can easily brute force their way in and take control of the websites under that account. Therefore, it is necessary for WordPress site owners to change any default settings and secure their accounts. This can be accomplished by implementing strong passwords and using two-factor authentication when possible.
Source:
https://www.bleepingcomputer.com/ne...tes-force-visitors-to-ddos-ukrainian-targets/
