Ongoing DDoS attacks from compromised sites hit Ukraine

Ukraine CERT-UA warns of ongoing DDoS attacks targeting pro-Ukraine sites and the government web portal.

Ukraine ‘s computer emergency response team (CERT-UA) announced that it is investigating, along with the National Bank of Ukraine (CSIRT-NBU), ongoing DDoS (distributed denial of service) attacks targeting pro-Ukraine sites and the government web portal.

The attacks originated from compromised websites, most of them use the WordPress CMS. Threat actors planted a malicious JavaScript code, tracked as BrownFlood, in the web pages of the sites to generate the malicious traffic to a list of static URLs included in the JavaScript code.

The attackers placed the scripts in the HTML structure of the main files (HTML, JavaScript, etc.) of the compromised website, the scripts are also encoded in base64 to avoid detection.

“The government team for responding to computer emergencies in Ukraine CERT-UA in close cooperation with the National Bank of Ukraine (CSIRT-NBU) has taken measures to investigate DDoS attacks, for which attackers place malicious JavaScript code (BrownFlood) in the structure of the web pages and files of compromised websites (mostly under WordPress), as a result of which the computing resources of computers of visitors to such websites are used to generate an abnormal number of requests to attack objects, URLs of which are statically defined in malicious JavaScript. code.” reads the advisory of the Ukraine CERT-UA.

Owners of the websites should detect the abnormal activity by inspecting the log files of the webserver, looking at events with the response code 404 and correlating them with the values ​​of the HTTP header “Referer”, which will contain the address of the web resource initiated a request. 

The alert includes the list of targeted websites and Yara rules for the detection of these attacks.

The CERT-UA notified organizations behind compromised websites, their registrars, and hosting providers. The Ukrainian agency did not attribute the attack to certain threat actors, however, experts believe that they are likely politically motivated.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]