Pierluigi Paganini
June 18, 2023
In early June, Microsoft suffered severe outages for some of its services, including Outlook email, OneDrive file-sharing apps, and the cloud computing infrastructure Azure.
A collective known as Anonymous Sudan (aka Storm-1359) claimed responsibility for the DDoS attacks that hit the company’s services.
Threat actors relied on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.
Initially, the IT giant did not provide details about the outage, but now it has confirmed it was targeted by DDoS attacks in a report titled “Microsoft Response to Layer 7 Distributed Denial of Service (DDoS) Attacks.”
“Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359.” reads the report published by the company.
The attackers launched a series of powerful Layer 7 Distributed Denial of Service (DDoS) attacks.
The company pointed out that they have seen no evidence that customer data has been accessed or compromised. Microsoft enhanced layer 7 protections, including tuning Azure Web Application Firewall (WAF), to mitigate such types of attacks.
The company observed Anonymous Sudan launching several layer 7 DDoS attack traffic types, including HTTP(S) flood attacks, cache bypass, and Slowloris.
The report published by Microsoft also includes Layer 7 DDoS protection tips
Collective Anonymous Sudan has been active since January 2023, it claims to target any country that is against Sudan. However, some security researchers believe that Anonymous Sudan is a sub-group of the Pro-Russian threat group Killnet.
“SpiderLabs cannot confirm that the group is based in Sudan, nor if any of its members are from that nation, but based on the evidence available, it seems quite likely that Anonymous Sudan is a Killnet project, possibly including some Eastern European members.” states SpiderLabs.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, DDoS)
