In recent weeks, a hacker collective calling itself Anonymous Sudan has been responsible for launching distributed denial of service attacks (DDoS) on a number of Microsoft services, including Outlook, OneDrive, and Microsoft Azure, amongst others. These attack events, which typically lasted between one and two hours, were successful in their goal of crippling Microsoft’s services while they were being carried out. However, previous to this, Microsoft would almost always ascribe these irregularities to problems inside the company’s own systems rather than to intrusions by hackers.
The group known as Anonymous Sudan does not hold any ill will against Microsoft, which is the clear explanation for their activities. The only purpose behind them is to get people’s attention. As a consequence of this, Microsoft had very little chance of publicly acknowledging this fact since doing so would directly play into the hands of the hackers.
However, as a result of the attacks continuing over time, Microsoft was no longer able to conceal the facts. In the end, they admitted that a cyberattack had, in fact, caused disruptions to the cloud services that they provided. This hacking gang is known by the name Storm-1359, which was conferred upon them by the security team at Microsoft. Microsoft did, in the end, come around to acknowledging the DDoS attacks that Anonymous Sudan was responsible for, which caused irregularities in Microsoft’s cloud services.
According to the findings of the analysis compiled by the security team at Microsoft, the seventh layer was the primary target of the DDoS attacks that were orchestrated by Storm-1359, rather than the third or fourth layer. As a direct result of this, Microsoft strengthened the defenses of the seventh layer, which included making modifications to the Azure Web Firewall (WAF), in order to protect users from the knock-on effects of DDoS attacks.
“Starting in the early part of June 2023, Microsoft saw spikes in the amount of traffic directed at some services, which momentarily disrupted availability. Following the timely opening of an inquiry, Microsoft acknowledged that it has begun monitoring continuing DDoS activity by the threat actor known as Storm-1359. “Microsoft tracks this threat actor,” said Microsoft.
In order to carry out their attacks, which included HTTP and HTTPS flood attacks, Storm-1359 made use of a number of different botnets and tools. They took advantage of high-capacity SSL/TLS handshakes and HTTPS requests to completely overload the infrastructure.
In the instance where Microsoft was the intended victim, the Storm-1359 malware flooded the system with millions of HTTP/HTTPS requests per second originating from IP addresses all over the world, which caused the system to become overwhelmed.In addition, Storm-1359 took use of Cache Bypass technologies to avoid being cached by the CDN. It did this by using a series of requests to overwhelm the systems that were powering the CDN.
In addition, the attackers used a tool called Slowloris, which is a denial of service attack, which forced the client to make a request for resources from the server but did not check that the client had received the requested resources. This strategy coerced the server into maintaining an open connection and keeping the resources in memory for as long as possible.
Botnets are by far the most important. In order to carry out their attacks, the cybercriminals made use of several virtual private servers (VPS), proxies, hired cloud servers, and DDoS tools; but, the botnets remained their primary source of power. These botnets have an infinite number of IP addresses, which enables them to consistently thwart the blocking procedures implemented by Microsoft. In point of fact, a comprehensive interception is quite difficult to achieve taking into account the severity of these attacks. On the other hand, Storm-1359 seems to have temporarily ceased its efforts on Microsoft.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.