14 DAY TRIAL // This week’s disruption of the online services of numerous companies in Norway’s financial sector was possible because of the “pingback” feature in the WordPress platform.
A group of hackers claiming to be part of the Anonymous Norway hacktivist outfit, deployed on Tuesday, July 8, a distributed denial-of-service attack against the online services of multiple Norwegian companies, most of them connected to the financial sector.
According to sources familiar to the matter, who do not wish their identity to be disclosed, the attackers abused the “pingback” feature in WordPress in order to hit the systems of the targeted victims and thus cripple their availability, even if only for a short period of time.
The feature is turned on by default and can be easily abused so that a WordPress website starts sending packets to an assigned victim.
This is far from being a new issue, as a bug ticket about the DDoS risks associated with the WordPress implementation of XML-RPC, used for “pingback” and other features, has been created for the first time in 2007.
Also, the simplicity of the method to carry out an attack leveraging this flaw confirms the theory that the attackers may be script kiddies.
The DDoS focused on targeting layers three (network) and four (transport) of the OSI model, as well as layer seven (application), at the same time.
A layer seven DDoS attack is more difficult to mitigate because it targets the application interface and mimics legitimate behavior. They can target an element on the webpage, and since the requests come from legitimate IP addresses with vulnerable WordPress installations, filtering the traffic is not that easy.
As far as the security of the customer information is concerned, our sources say that they believe that this was nothing else than a distributed denial-of service attack, as no evidence of intrusion attempts was found. However, their investigation is not complete yet.
Sverre Olesen, who is the head of Evry security team, an IT company that provides services for financial organizations in Norway, said to Norwegian publications that this incident was not the largest the company had seen, but it was particular in the fact that it targeted so many victims at the same time.
Among the services affected were those of Norges Bank, Sparebank 1, Storebrand, Gjensidige, Nordea, Danske Bank, and Telenor (the largest telecommunications company in Norway). Other businesses were also affected, including websites of Scandinavian Airlines (SAS) and Norwegian Air.