Microsoft admits that malicious DDoS attacks in early June crippled its cloud services- Azure, Outlook, and OneDrive.

Early in June, Microsoft’s flagship office suite, which includes the file-sharing applications OneDrive and Outlook email, experienced periodic but significant service interruptions. A mysterious hacktivist group took the brunt of the responsibility, claiming that distributed denial-of-service attacks overwhelmed the websites with unwanted traffic.

According to a preliminary analysis from Microsoft, an outage in Azure on Friday was caused by an unusual rise in HTTP requests with error messages created across numerous geographic areas. The outage disrupted access to Microsoft Entra admin center, Microsoft Intune, and Azure.

In a tweet on Friday, the IT giant stated that “these attacks likely depend on access to multiple virtual private servers (VPS) in addition to rented cloud infrastructure, open proxies, and DDoS tools.“

Microsoft announced last week that it was looking into the problems in response to reproaches made by the hacktivist collective Anonymous Sudan that the company had been the target of a series of DDoS attacks that caused the outages.

Although there is no proof that user data was obtained or stolen, the business reported that the attacks “temporarily impacted the availability” of several services.

Redmond claimed to have seen the threat actor perform layer 7 DDoS attacks through various cloud services and open proxy infrastructures.

This scenario comprises HTTP flood attacks, in which the attacker floods the intended services with HTTP requests; cache bypass attacks, in which the attacker tries to get around the CDN layer and overburden the origin servers; and the Slowloris approach.

DDoS (Distributed Denial of Service) attacks, a blunt hammer that overwhelms servers with traffic until they can no longer reply, are occasionally used to conceal or assist more advanced invasions. According to Microsoft, no proof has been found that customer data has been accessed or compromised.

Microsoft Security Response Centre (MSRC) stated, “This attack occurs when the client establishes a connection to a web server, requests a resource, and then fails to acknowledge the download (or accepts it slowly).” The connection must stay open, and the requested resource will remain in memory.

Microsoft specified in October 2021 that it had protected an unidentified European customer from an intense 2.4 Tbps DDoS attack, even though none of their DDoS attack methods are especially unusual. (This DDoS attack was of the UDP reflection type and came from 70,000 sources.)

Anonymous Sudan

An unknown entity identifying as “Anonymous Sudan” has claimed responsibility for the Microsoft DDoS attacks, and a Redmond spokesman verified the link to AP. The company has identified the threat actor as “Storm-1359.”

Since the beginning of the year, Anonymous Sudan has caused an uproar in the threat environment by launching several distributed denial-of-service attacks against organizations in Sweden, the Netherlands, Australia, and Germany.

According to a Trustwave SpiderLabs research published in late March 2023, the attacker is probably a division of the pro-Russian threat actor organization KillNet, which rose to notoriety during the crisis between Russia and Ukraine last year.

Additionally, KillNet has been scrutinized for its DDoS attacks against Microsoft Azure-hosted healthcare institutions, which increased from 10 to 20 attacks daily in November 2022 to 40 to 60 in February 2023.

Despite its nationalistic mission, KillNet has been primarily motivated by financial goals, using the steadfast backing of the Russian pro-Kremlin media ecosystem to advertise its DDoS-for-hire services, according to a profile of the adversary published by Flashpoint last week.

Turning the Azure Firewall

Microsoft recommends clients employ Layer 7 protection services, such as Azure Web Application Firewall, to protect their web applications. These services are included with Azure Front Door and Azure Application Gateway.

Microsoft reported that it had been “tuning Azure Web Application Firewall [a managed service] to secure customers from the impact of similar DDoS attacks more effectively” and, recommended that customers “Use layer seven protection services such as Azure Web Application Firewall (available with Azure Front Door, Azure Application Gateway) to protect web applications.” 

The post Massive DDoS Attacks on Outlook, OneDrive, and other Microsoft 365 Services appeared first on EncryptedFence by CerteraSSL - A Complete Web Security Blog.