According to Wordfence, a security firm that protects over 8300 WordPress sites in Ukraine, the websites of at least 30 Ukrainian universities have been compromised by a threat actor expressing support for Russia, as vulnerability exploit attempts surged during the invasion.
Wordfence also protects the websites of private businesses and the government, military and police. This has generated useful intelligence on the scale of the attack campaign, which spiked on 25th February 2022 as the Russian invasion began.
The threat actor is based in Brazil and is known as “theMx0nday,” which has expressed online support for Russia. It has a history of stealing sensitive information from its victims and used infrastructure from an internet service provider called Njalla who claim to be the world's most notorious ‘Privacy as a Service’ provider for domains, VPSs and VPNs.
The specific Njalla server that the traffic was routed through appears to be based in Finland, based on IP geolocation data, although Njalla claims their servers are based “In secret locations in Sweden”.
As a result of the attacks, Wordfence is taking the unprecedented step of upgrading all of Ukraine users to the paid version of the product, ensuring they benefit from real-time firewall rules, malware signatures and IP blocklist updates.
Total attempts to exploit WordPress vulnerabilities in Ukraine jumped to 144,000 on that day, roughly three times the number of daily attacks from earlier in the month, said Mark Maunder, CEO of Wordfence parent company Defiant. However, over a longer period, the surge in attacks was even higher.
Source:
Comments