Hackers are hacking sites running WordPress in order to introduce malicious scripts into them that use visitors’ browsers to carry out DDoS attacks on Ukrainian resources.
MalwareHunterTeam Researchers discovered a hacked WordPress site that used the aforementioned script and attacked ten sites, including the resources of Ukrainian government, scientific and financial organizations, as well as sites recruiting volunteers to the International Legion of Territorial Defense of Ukraine, etc.
After loading, JavaScript forces the user’s browser to send HTTP GET requests to each site in the list with no more than 1 thousand simultaneous connections. This allows the scripts to carry out DDoS attacks, while the site visitor does not know about anything.
Each request to the attacked sites uses an arbitrary query string, so the request does not pass through a caching service like Cloudflare or Akamai and is sent directly to the attacked server.
For example, a script for a DDoS attack generates requests like the following:
“GET /?17.650025158868488 HTTP/1.1”
“GET /?932.8529889504794 HTTP/1.1”
“GET /?71.59119445542395 HTTP/1.1”
According to the developer Andrey Savchenko, to carry out these attacks, attackers hacked hundreds of WordPress sites.
“There are about a hundred of them. All (hacked – ed.) through vulnerabilities in WP. Unfortunately, many providers/owners do not react in any way”, – reported Savchenko.