Microsoft Blames Massive DDoS Attacks for Azure, Outlook, and OneDrive Crashes

June 19, 2023Ravie LakshmananNetwork and Cloud Security

Microsoft on Friday tied a series of service outages aimed at Azure, Outlook and OneDrive earlier this month to an uncategorized cluster it tracked by name Hurricane-1359.

“This attack likely relies on access to multiple virtual private servers (VPS) along with rented cloud infrastructure, open proxies, and DDoS tools,” the tech giant said. said in a post on Friday.

Storm-#### (formerly DEV-####) is a temporary designation given by the creators of Windows to an unknown, emerging, or growing group whose identity or affiliation has not been established.

While there is no evidence that customer data was accessed or compromised, the company noted that the attack “temporarily impacted the availability” of some services. Redmond said it was further observing the launch of the threat actor layer 7 DDoS attacks from various cloud services and open proxy infrastructure.

These include HTTP(S) flood attacks, which bombard a target service with a high volume of HTTP(S) requests; cache bypass, where an attacker tries to bypass the CDN layer and overwhelm the origin server; and a technique known as Slowloris.

“This attack occurs when a client opens a connection to a web server, requests a resource (for example, an image), and then fails to acknowledge the download (or slowly accepts it),” says the Microsoft Security Response Center (MSRC). “This forces the web server to keep the connection open and the requested resource in memory.”

Microsoft further characterizes the “murky upstart” as focused on distraction and publicity. A hacktivist group known as Anonymous Sudan own claimed responsibility for attack. However, it should be noted that the company has not explicitly linked Storm-1359 with Anonymous Sudan.

Microsoft 365 services such as Outlook, Teams, SharePoint Online, and OneDrive for Business down at the start of the month, with the company later stating it had detected an “anomaly with increased demand levels”.

“Traffic analysis shows an anomalous spike in HTTP requests issued against the Azure portal origin, bypassing existing automated countermeasures, and triggering a service unavailable response,” it said.

Who is Sudan Anonymous?

Anonymous Sudan has been making waves with threats with a series of DDoS attacks against Swedish, Dutch, Australian and German organizations since the beginning of this year.

Analysis from Trustwave SpiderLabs at the end of March 2023 showed that adversary is likely an offshoot of the Pro-Russian threat actor group KillNet which first gained notoriety during Russia-Ukraine conflict last year.

“They are openly allied with the Russian Killnet group, but for reasons only known to its operators, prefer to use the story of defending Islam as the rationale behind its attacks,” Trustwave said.

KillNet also attracted attention for him DDoS attacks on healthcare entities hosted on Microsoft Azure, which has jumped from 10-20 attacks in November 2022 to 40-60 attacks daily in February 2023.

The Kremlin-affiliated collective, which first appeared in October 2021, has subsequently established a “private military hacking firm” named Black Skills in an effort to lend the company’s cyber mercenary activities a sheen.

Anonymous Sudanese Russian connection also became clear in get up from its collaboration with KillNet and REvil to form the “DARKNET parliament” and organize cyber attacks on European and US financial institutions. “Task number one is crippling jobs FAST,” reads the message.

“Killnet, despite its nationalistic agenda, driven primarily by financial motives, leverages the passionate support of Russia’s pro-Kremlin media ecosystem to promote its DDoS rental service,” Flashpoint said in last week’s enemy profile.

“Killnet has also partnered with several botnet providers as well as Deanon Club — the partner threat group with which Killnet created the Infinity Forum — to target the darknet market focused on narcotics.”