Microsoft Repeatedly Burned in ‘Layer 7’ DDoS

7Time and again this month, “Russian” hackers bring down Microsoft clouds.

Microsoft confirms that a group pretending to be hacktivists has thwarted it again and again with denial-of-service attacks on its cloud properties. The perps, calling themselves Anonymous Sudan, are believed to be a Russian group affiliated with Killnet.

Redmond said it was a “Layer 7” attack on Azure, OneDrive, Teams, etc.—which is a nice way of saying Microsoft’s own software was vulnerable to the attack. In today’s SB Blogwatch, we feel the coming storm.

AWS Builder Community Hub

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Montreal memes.

Unlucky Number

What’s the craic? Frank Bajak reports—“Disruptions to Outlook, cloud platform, were cyberattacks”:

Researchers believe the group to be Russian
In early June, sporadic but serious service disruptions plagued Microsoft’s flagship office suite … and cloud computing platform. A shadowy hacktivist group claimed responsibility. … Microsoft has now disclosed that DDoS attacks by the murky upstart were indeed to blame.

A spokeswoman confirmed that the group that calls itself Anonymous Sudan was behind the attacks. … Microsoft dubbed the attackers Storm-1359, using a designator it assigns to groups whose affiliation it has not yet established.

Anonymous whatnow? Daryna Antoniuk is not surprised—“Azure outage was caused by ‘anomalous’ traffic spike”:

Ransom of $1 million
Cybersecurity researchers believe the group isn’t an authentic part of the larger Anonymous hacktivist movement, but … is a sub-group of the pro-Russia hacking group known as Killnet. … Anonymous Sudan wrote on Telegram that it launched a DDoS attack against Azure to show how “untrustworthy” its services are.

The group also made a demand to Microsoft, requesting a ransom of $1 million. They threatened to continue the attacks and sell data on 30 million customers they claim to have accessed. … Microsoft would not confirm whether … any data was leaked.

Horse’s mouth? I smell the dead hand of Microsoft PR—“Layer 7 … DDoS Attacks”:

Collection of botnets and tools
Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. … We have seen no evidence that customer data has been accessed or compromised.

Storm-1359 has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. … This recent DDoS activity targeted layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections … to better protect customers from the impact of similar DDoS attacks.

LOL. Did you get that? This Anonymous Coward translates for us:

Bad timing
Ah, what a nice bit of camouflage. I wonder how long their marketing people worked on that.

Microsoft can claim it was transparent while hiding the truth from most end users and managers: “This recent DDoS activity targeted layer 7 rather than layer 3 or 4.” … Layer 7 is the application layer.

[It] means that this DDoS attack targeted Microsoft software. This DDoS was apparently able to use vulnerabilities in Microsoft’s own software to, er, vaporise their Cloud. So, in addition to Microsoft software being a known local security risk to your average enterprise it’s now also a proven exposure in the Cloud. I can understand why they’re cagey about it: It’s bad timing as they’re raising prices.

When you put it like that, it all adds up. MSCLYES does the math:

DDoS attack or not, MS services have been down several times this year alone—and I’m not counting the small ones with few minutes of downtime. … Reliability and security constantly getting worse. At least they have learned how to renew certificates on time but should still be renamed to M265.

Silly code name, though. badrabbit agrees:

Yeah, storm sounds too cool. “LittleTantrum” would be my pick. Imagine getting beat up by someone and then you go to the cops and report, “I call him ‘mighty-fist’ and he beat me badly.”

Blame the cloud? Rosco P. Coltrane urges you to exit his grassed area:

People have a short memory: Before the personal computer, software was run on mainframes … a centralized computer controlled by someone else. … It was slow when it worked and you were SOL when it didn’t, you paid through the nose for access to so-so services.

Everybody hated mainframes. When home computers became powerful enough to run software locally, it was so liberating! [But] 50 years on, we’re right back to square one. It’s not called a mainframe anymore, it’s called “Software as a Service”: Just like mainframes, the service isn’t yours; it’s slow when it works and you’re SOL when it doesn’t; you pay through the nose. … History repeats itself. It’s ****ing depressing.

Meanwhile, u/fuzzyfrank snarks it up:

Should’ve used Azure DDoS protection.

And Finally:

Oh, Canada

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Maciej Pienczewski (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi