Cloud outages: Microsoft reveals details of DDoS attack by Anonymous Sudan/Storm-1359

[German]It was hacker attacks that brought Microsoft cloud services to their knees for hours on and off since June 5, 2023. My reports here on the blog that a hacktivist group called "Anonymous Sudan" claimed responsibility didn't turn out to be an airhead at the end of the day. I had cited information on a Post Incident Report For Microsoft 365 over the weekend that described some details and countermeasures. But there is also a publicly available blog post that confirms these attacks and gives details.

Microsoft cloud outages

On June 5, 2023, there were yes first disruptions of the Exchange Online Microsoft services – I had reported about that in my post Exchange Online down for hours (June 5, 2023) A user had pointed me to this disruption, which began shortly before 16:00 German time, but in the meantime (18:40) was probably largely resolved.

Exchange Online-Störung (5. Juni 2023)

On June 8, 2023, the blog post Outlook.com and OneDrive down – consequence of cyber attacks? (June 8, 2023) on the next disruption. And on June 9, 2023, the post Microsoft Azure outage (June 9, 2023); what's going on? reported an affected Azure portal.

Störungen der Microsoft-Cloud
Microsoft cloud service degradation, Source: Microsoft

The above graphic from Microsoft shows the impairments of cloud services in the form of "availability", which shows significant drops. A hacktivist group called "Anonymous Sudan" had already claimed responsibility for the first disruption, which I also vaguely mentioned in the article.

Exchange Online outage

However, Microsoft did not provide any information in this regard – and my sources said "nothing known". The situation culminated in this German comment, where a Microsoft key account manager from Austria was cited, that he desperately looking for reports of hacker attacks.

Microsoft confirms Storm-1359 attack

I had written quite a bit about this in the blog post Microsoft's cloud outage was result of a DDoS attack. A blog reader then pointed me to another Microsoft blog post titled Microsoft Response to Layer 7 Distributed Denial of Service (DDoS) Attacks. Microsoft confirms a DDoS attack by Anonymus Sudan (referred to by Microsoft as Storm-1359). The report states:

In early June 2023, Microsoft noticed a sharp increase in traffic to some services that temporarily affected availability. Microsoft immediately launched an investigation and subsequently began tracking the ongoing DDoS activity of the threat actor, which Microsoft refers to as Storm-1359.

These attacks likely relied on access to multiple virtual private servers (VPS) in conjunction with leased cloud infrastructure, open proxies and DDoS tools.

Microsoft writes that there is no evidence that customer data was accessed or compromised. This recent DDoS activity targeted Layer 7, not Layer 3 or 4 (of the ISO network layer model). Microsoft has strengthened Layer 7 protection and optimized the Azure Web Application Firewall (WAF) to better protect customers from the impact of similar DDoS attacks.

Although these tools and techniques are very effective in mitigating most disruptions, Microsoft is constantly reviewing the performance of its hardening capabilities and incorporating the findings into refining and improving their effectiveness. What this means in plain English is that this type of disruption can come back at any time – it just needs an actor to come along with enough resources.

In the linked blog post, Microsoft then provides details and writes: Customers should review the technical details and recommended actions in this blog to increase the resilience of their environments to mitigate similar attacks.

Similar articles
Exchange Online down for hours (June 5, 2023)
Outlook.com and OneDrive down – consequence of cyber attacks? (June 8, 2023)
Microsoft Azure outage (June 9, 2023); what's going on?
Microsoft's cloud outage was result of a DDoS attack

This entry was posted in Allgemein and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *