Microsoft announced on Friday that a series of outages earlier this month targeting Azure, Outlook and OneDrive were caused by an uncategorized cluster it tracks under the name: Arashi-1359.
“These attacks likely rely on access to multiple virtual private servers (VPS) combined with rented cloud infrastructure, open proxies and DDoS tools,” the tech giant said in a post on Friday. Stated.
Storm-#### (formerly DEV-####) is a temporary group assigned by Windows manufacturers to an unknown, emerging, or developing group whose identity or affiliation has not yet been clearly established. Name.
While there is no evidence that customer data was accessed or compromised, the company said the attack “temporarily impacted the availability” of some of its services. Redmond said it also observed threat actors launching Layer 7 DDoS attacks from multiple cloud services and open proxy infrastructures.
This includes HTTP(S) flood attacks that flood the target service with HTTP(S) requests. cache bypass. The attacker bypasses her CDN layer and tries to overload the origin server. and a technique known as slow loris.
“The attack involves a client opening a connection to a web server, requesting a resource (such as an image), and then failing to authorize the download (or slow to accept the download),” Microsoft Security Response Center (MSRC) said. ) says. “This forces the web server to keep the connection open and the requested resource in memory.”
Microsoft further characterized “opaque start-ups” as focused on disruption and publicity.hacktivist group known as Anonymous Sudan issued a claim of responsibility for the attack. However, it’s worth noting that the company has not explicitly linked Storm-1359 to Anonymous Sudan.
Microsoft 365 services such as Outlook, Teams, SharePoint Online, OneDrive for Business got off The company later announced that it had detected “anomalies associated with increased request rates.”
“Traffic analysis showed an unusual spike in HTTP requests issued to the Azure portal origin, bypassing existing automatic precautions and causing a service unavailable response,” it said.
Who is Anonymous Sudan?
Anonymous Sudan has made waves in the threat world since the beginning of the year with a series of DDoS attacks against entities in Sweden, the Netherlands, Australia and Germany.
An analysis by Trustwave SpiderLabs in late March 2023 indicated that this adversary is likely an offshoot of the pro-Russian threat actor group KillNet, which first gained notoriety during last year’s Russia-Ukraine conflict. .
Trustwave said it is “publicly affiliated with the Russian group Kilnet, but for reasons known only to its operators, it likes to use pro-Islamic narratives as the reasoning behind its attacks.” rice field.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
KillNet has also been noted for DDoS attacks against healthcare organizations hosted on Microsoft Azure, growing from 10-20 daily attacks in November 2022 to 40-60 daily attacks in February 2023. surged.
The Kremlin-affiliated group, which first emerged in October 2021, has further established a “private military hacking company” called Black Skills in an attempt to give cyber-mercenary activity a corporate sheen.
Anonymous Sudan’s Russian ties were also exposed when it collaborated with KillNet and REvil to form the “DARKNET Congress” and organize cyberattacks against financial institutions in Europe and the United States. The message read, “The primary task is to paralyze SWIFT’s movements.”
“Despite its nationalistic aims, Kirnet is primarily driven by financial motives and uses the enthusiastic support of Russia’s pro-Kremlin media ecosystem to promote rental DDoS services.” Flashpoint said in an adversary overview last week.
“Killnet has also partnered with several botnet providers and the Deanon Club, a partner threat group with which Killnet founded the Infinity Forum, to target drug-focused darknet markets. increase.”
