Microsoft has confirmed that a series of outages affecting its Azure and Outlook services in early June were caused by DDoS attacks. The attacks targeted layer 7 of the network stack, which is the layer that handles application traffic. This type of attack is more difficult to defend against than layer 3 or 4 attacks, which target the network infrastructure.
The attacks began on June 6 and continued for several days. They affected a variety of Azure services, including the Azure portal, Azure Active Directory, and Azure Storage. Outlook users also experienced outages, with some users being unable to access their email or send and receive messages.
Microsoft was able to mitigate the attacks and restore service to most users. However, some users may have experienced a residual impact, such as delayed email delivery.
In a statement, Microsoft said that it is “committed to protecting our customers from DDoS attacks” and that it is “taking steps to improve our defenses against these attacks.”
Researchers from Microsoft assessed that the cyberattacks relied upon “access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.”
Techniques used in the attack include HTTPS flood attacks, cache bypass, and Slowloris.
Since the attack did not access or compromise any customer data, Microsoft is isolating its recommendations for customers to improve web application firewalls, which operate at Layer 7.
Bot protection, blocking known malicious IP ranges and domains, and rate-limiting HTTP and HTTPS attacks that have known signatures are among the guidelines offered.
Anonymous Sudan and KillNet claim responsibility
Microsoft has not identified the actor responsible for the attacks. However, the timing of the attacks coincides with a recent increase in DDoS attacks targeting Microsoft and other major tech companies. The threat actors are tracked by Microsoft as “Storm-1359”, also known as Anonymous Sudan.
As we previously reported, Anonymous Sudan specifically states that it will attack any country that interferes with Sudan or its interests. The group has launched attacks against Tinder, Lyft, and various hospitals across the United States. It’s unclear how any of these organizations are tied to Sudan, but they pressured each company with bounties to stop the DDoS attacks.
Earlier this month, the group turned its focus to Microsoft, by launching relentless DDoS attacks against Azure, Outlook, OneDrive, and other components of 365. Anonymous Sudan demanded $1 million to stop the attacks.
KillNet, another Russia-linked cyber gang that has infamously caused DDoS attacks against targets across the U.S., has formed an alliance with Anonymous Sudan, according to BleepingComputer.
One theory: Anonymous Sudan may be a false flag, with the group actually masquerading over Sudanese interests while really being linked to Russia.
This probably isn’t the last time we’ll hear of Anonymous Sudan and KillNet, so more to come.
