Microsoft has confirmed that cybercriminals identified as Storm-1359 have carried out different distributed denial of service (DDoS) attacks, causing a interruption of its services at the beginning of June, including Outlook and OneDrive.
An attack DDoS is a type of cyberattack that attempts to make a website or network resource unavailable by flooding it with malicious traffic so that it cannot function properly and as usual.
The company has commented that earlier this month it identified “sudden increases in traffic for some services” that temporarily affected the availability of some of its applications, such as Outlook, OneDrive and Azure, according to the updates it published then through Twitter.
Upon learning of these incidents, Microsoft “quickly opened an investigation and subsequently began tracking ongoing DDoS activity by a threat actor,” identified as Storm-1359, as confirmed in a statement.
This group of cybercriminals calls itself Anonymous Sudan, according to Bleeping Computer, warned in January 2023, and which focuses on large organizations and government agencies opposed to Sudan’s policies, although some researchers associate them with Russia.
Microsoft has analyzed Storm-1359 and determined that it has access to a collection of ‘botnets’ and tools that could allow it to launch DDoS attacks from multiple services open proxy infrastructures and from the cloud.
With this, it has determined that the activity of these cybercriminals is to spread advertising and interrupt the services offered by Microsoft. It also aims to exhaust system resources with heavy load of SSL/TLS handshakes and HTTPS request processing.
Another of the DDoS attacks that Storm-1359 executes seeks bypass the layer dedicated to content delivery (CDN), which can cause the origin servers to be overloaded.
Finally, this group of cybercriminals uses the ‘Slowris’ attack, for which it opens a connection to a server, requests a resource (such as an image) and then does not recognize the download or he accepts her slowly. Thus, it forces the web server to keep the connection open and the requested resource in memory.
From the company they have recommended using Azure Web Application Firewall (WAF) to protect web applications and create custom rules of this solution to automatically block and classify attacks HTTP y HTTPS.