According to sources familiar to the matter, who do not wish their identity to be disclosed, the attackers abused the “pingback” feature in WordPress in order to hit the systems of the targeted victims and thus cripple their availability, even if only for a short period of time.
This feature is turned on by default and can be easily abused so that a WordPress website starts sending packets to an assigned victim.
This is far from being a new issue, as a bug ticket about the DDoS risks associated with the WordPress implementation of XML-RPC, used for “pingback” and other features, has been created for the first time in 2007.
The DDoS focused on targeting layers three (network) and four (transport) of the OSI model, as well as layer seven (application), at the same time.
A layer seven DDoS attack is more difficult to mitigate because it targets the application interface and mimics legitimate behavior. They can target an element on the webpage, and since the requests come from legitimate IP addresses with vulnerable WordPress installations, filtering the traffic is not that easy.
As far as the security of the customer information is concerned, our sources say that they believe that this was nothing else than a distributed denial-of service attack, as no evidence of intrusion attempts was found.
the services affected were those of Norges Bank, Sparebank 1, Storebrand, Gjensidige, Nordea, Danske Bank, and Telenor. Other businesses were also affected, including websites of Scandinavian Airlines and Norwegian Air.