The websites of at least 30 Ukrainian universities have been compromised by a threat actor expressing support for Russia, as vulnerability exploit attempts surged during the invasion, according to Wordfence.
The security firm protects over 8300 WordPress sites in Ukraine, including those of private businesses and the government, military and police. This has generated useful intelligence on the scale of the attack campaign, which spiked on February 25 as the Russian invasion began.
Total attempts to exploit WordPress vulnerabilities in Ukraine jumped to 144,000 on that day, roughly three times the number of daily attacks from earlier in the month, said Mark Maunder, CEO of Wordfence parent company Defiant.
However, over a longer period, the surge in attacks was even higher.
“We compiled a list of websites that had received at least double the number of attacks from the day before the invasion started, until Monday February 28, which is a window of about 5.5 days, compared to the entire 27 days before the attack started. That’s about a 10 times increase in the average daily number of attacks,” Maunder explained.
“Out of the 8320 Ukraine websites that we protect, we found a list of 383 websites where attacks had increased dramatically following the invasion. Out of those 383 websites, 229 were sites ending in ‘EDU.UA.’ In other words, academic websites and universities in Ukraine.”
The culprit was named as a Brazil-based threat group known as “theMx0nday,” which has expressed online support for Russia. It has a history of stealing sensitive information from its victims and used infrastructure from a privacy-centric hosting provider run by Pirate Bay co-founder Peter Sunde, according to Maunder.
“Njalla is a service provider for VPNs, which makes it possible that the attack may have come from one of their customers, a hacked server belonging to one of their customers, or from a VPN exit node,” he explained. “We suspect their VPN was used as an exit node to mask a threat actor.”
As a result of the attacks, Wordfence is taking the unprecedented step of upgrading all of its users in Ukraine to the paid version of the product, ensuring they benefit from real-time firewall rules, malware signatures and IP blocklist updates.
“The malicious IP addresses involved in this attack are included in our blocklist, which will completely block access to WordPress and other PHP applications installed alongside WordPress. The list is updated in real-time as attackers rotate through fresh IP addresses,” Maunder explained.
“We also regularly deploy new firewall rules and malware detection to block and detect emerging attacks and malicious activity. Instead of our usual 30-day delay for free customers, Ukrainian websites will start receiving these security updates in real-time, until further notice.”