Highlights:

  • A “Layer 7” attack is a type of DDoS that targets the internet protocol suite’s application layer and overloads a service with a large number of requests, leading to service interruptions or outages.
  • The group used HTTP(S) deluge assaults, cache bypass, and Slowloris to deplete a web service’s connections, preventing it from processing new requests.

Microsoft Corporation recently disclosed that service disruptions that affected its clients earlier this month resulted from a distributed denial-of-service attack launched by a threat actor known as Storm-1359.

The Layer 7 DDoS attack compromised Microsoft services like Outlook, Azure, and OneDrive. A “Layer 7” attack is a type of DDoS that targets the internet protocol suite’s application layer and overloads a service with a large number of requests, leading to service interruptions or outages. Anonymous Sudan is the common name for the Storm-1359 hacker organization.

The DDoS attack began in June, with the Outlook.com web portal being targeted on June 7, followed by OneDrive and the Microsoft Azure Portal on June 8 and 9, respectively. Following the attacks, Microsoft initiated an internal investigation that suggests the threat actor used multiple virtual private servers, open proxies, rented cloud infrastructure, and DDoS tools to carry out the attacks. Microsoft’s investigation revealed that the attacks were carried out for disruption and publicity reasons.

The attacks are described as somewhat unusual behind the scenes. They targeted Layer 7, the application layer of the internet protocol suite. Storm-1359’s strategy enabled it to overwhelm Microsoft’s services with high requests, resulting in degraded service or even total denial of service. A Layer 7 attack is distinct from the more common Layer 3 and Layer 4 attacks, which Microsoft can readily defend against with services like Azure Web Application Firewall.

The group’s DDoS attack methods included HTTP(S) cache bypass, flood attacks, and Slowloris, all designed to exhaust a web service’s available connections, prohibiting it from processing new requests.

Microsoft emphasized to customers that there is no evidence that customer data was compromised or accessed during these attacks.

Anonymous Sudan, also known as Storm-1359, was discovered for the first time in January. DDoS attacks and data breaches have been launched against organizations and government agencies worldwide. In recent months, the group has demanded ransom payments from large organizations, threatening to continue attacks until the ransom is paid.

Microsoft recommends that customers review their Layer 7 security measures to prevent future intrusions, especially if they employ Azure Web Application Firewall. These users should take several precautions, including employing the bot protection managed rule set to protect against known harmful bots, managing traffic based on geographic region, blocking IP addresses and ranges identified as malicious, and creating custom WAF rules to restrict attacks with known signatures.