Microsoft finally admits to DDoS attack by Anonymous Sudan

Anonymous Sudan

Recently, a hacker group self-proclaiming as Anonymous Sudan has instigated DDoS attacks against several Microsoft services, encompassing Outlook, OneDrive, and Microsoft Azure, among others.

Typically enduring between one to two hours, these assault episodes did indeed cripple the services of Microsoft during their execution. Yet, prior to this, Microsoft consistently attributed these anomalies to internal system malfunctions rather than hacker invasions.

The motivation behind these actions is simple: Anonymous Sudan bears no grudge against Microsoft. Their pure intent lies in drawing attention. Consequently, Microsoft could hardly publicly acknowledge this, for doing so would play directly into the hackers’ scheme.

However, with the persistence of the attacks, Microsoft could no longer shroud the truth. Finally, they conceded that their cloud services had indeed been impaired due to a cyberattack. The moniker bestowed by Microsoft’s security team upon this hacker collective is Storm-1359.

Microsoft eventually acknowledges the DDoS attacks instigated by Anonymous Sudan, causing anomalies in Microsoft’s cloud services.

Microsoft’s security team, in their report, revealed that the DDoS activities spearheaded by Storm-1359 primarily targeted the seventh layer, rather than the third or fourth. Consequently, Microsoft enhanced the protection of the seventh layer, including adjustments to the Azure Web Firewall (WAF) to shield customers from the repercussions of DDoS attacks.

“Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359,” confirmed Microsoft.

Storm-1359 utilized a series of botnets and tools to orchestrate their attacks, including HTTP/HTTPS flood assaults. They overwhelmed system load via high-capacity SSL/TLS handshakes and HTTPS requests.

In this case of Microsoft being targeted, Storm-1359 bombarded the system with millions of HTTP/HTTPS requests per second from global IPs, causing Microsoft’s system to be overloaded.

Moreover, Storm-1359 exploited Cache Bypass tools to circumvent CDN caching, utilizing a series of queries to overload the systems behind the CDN.

The assailants also employed Slowloris, a denial of service attack tool, compelling the client to request resources from the server but not confirming the receipt of resources. This tactic forced the server to keep the connection open and retain the resources in memory.

The most pivotal are botnets. The hackers utilized multiple VPS, proxies, rented cloud servers, and DDoS tools to execute their assaults, with the main force still being the botnets. These botnets possess countless IP addresses, thus enabling ceaseless resistance against Microsoft’s blocking measures.

In truth, considering the intensity of these attacks, a complete interception is exceptionally challenging. However, currently, Storm-1359 has halted its attacks against Microsoft.