Early June Microsoft outages were result of large-scale DDoS hit

A series of services disruptions experienced by users of Microsoft Azure, OneDrive and Outlook were the result of a major distributed denial of service (DDoS) attack conducted by a threat actor tracked by Redmond as Storm-1359 (aka Anonymous Sudan) – a Russia-aligned or -backed group with alleged links to the Killnet collective.

The surges in traffic were identified at the beginning of June 2023, but the cyber attack is not thought to have resulted in any unauthorised access to or compromise of user data.

Microsoft said Storm-1359’s attacks had targeted Layer 7 as opposed to Layers 3 or 4, and were supported with access to multiple virtual private servers, rented cloud infrastructure, open proxies and other DDoS tools.

Under the Open Systems Interconnection (OSI) framework, a Layer 7 attack targets application layer processes to tie up resources and stop a service from being able to deliver content to its users. It differs from a Layer 3 DDoS attack, which targets the network layer that transfers data from network to network, and a Layer 4 attack, which targets the transport layer that transfers data from device to device.

The function of each Layer OSI model may vary, but all such attacks have the same purpose and ultimate effect, which is to disrupt or crash the service by overwhelming its resources.

“Microsoft assessed that Storm-1359 has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be focused on disruption and publicity,” said the research team at Microsoft’s MSRC cyber unit.

MSRC found that Storm-1359 had launched multiple types of Layer 7 attack, including HTTP(S) floods, which aim to exhaust application compute resources with vast numbers of secure socket layer (SSL) or transport layer security (TLS) handshakes and HTTP(S) requests; cache bypasses, which attempt to bypass the content delivery network (CDN) layer to overload the origin servers; and Slowloris, where the client connects to a web server, requests a resource, but either fails to acknowledge the download or accepts it very slowly, forcing the victim server to stay connected and use up memory resources while it tries to complete the requested task.

In response, said the MSRC, Microsoft has hardened Layer 7 protections, including making a series of tweaks under the bonnet of the Azure Web Application Firewall (WAF) to better protect users.

However, while these hardening tools and techniques are considered super-effective, Microsoft’s MSRC said customers should review the technical details and recommended actions – as set out here – to increase their own resilience levels.

Among other things, security teams may wish to enable Layer 7 protection services such as Azure WAF and consider creating custom WAF rules to block and rate limit HTTP(S) attacks with known signatures, configure bot protection, scan and block suspicious or malicious IP addresses and ranges, and block traffic from the source region (most likely Russia) or from outside a defined region.

Despite the group’s use of the Anonymous hacktivist branding, threat researchers at ANZ-based security specialist CyberCX said the Storm-1359/Anonymous Sudan group – which was first observed communicating via Telegram in January – is highly unlikely to have any link to Anonymous itself or, for that matter, any connection to Sudan.

Moreover, its tradecraft and targeting do not align with the hacktivist model, they said, but seem to reflect Russian state cyber goals.

The analysts said that based on Anonymous Sudan’s observed activity, there was a high chance the group was backed by Russia and warned there was a good chance its activity would increase in tempo over the coming months. They added that its apparent access to significant resources and dubious ideological associations made it an “atypical threat”.

Meanwhile, late last week, the wider Killnet group made headlines following a “Darknet parliament” summit supposedly attended by its operatives as well as representatives of Anonymous Sudan and members of the REvil ransomware operation – which once terrorised Western organisations but has faded from the popular cyber consciousness of late.

In the wake of this summit, the group said it would “impose sanctions” on the European banking system, specifically targeting systems such as Swift and threatening destructive DDoS attacks within 48 hours.

At the time of writing, no significant cyber attacks against the European financial system have been observed.