In the first week of June, Microsoft suffered a major communications outage that affected nearly all of its services, including Azure, Outlook and Teams. The company has now revealed that a cyber attack was behind the global outage.
In a blog post, Microsoft revealed details of the early June attack that caused an outage of its services and took the company nearly 15 hours to mitigate. The company noticed a spike in traffic targeting some of its services and launched an investigation into the DDoS (distributed denial of service) attack.
Microsoft further noted that the threat actors used multiple virtual private servers (VPS), proxies, rented cloud infrastructure, and DDoS tools to execute the attack. While the attack was sophisticated, Microsoft confirmed that no customer data was accessed or compromised.
This latest DDoS campaign targeted layer 7 of the OSI, rather than layer 3 or 4, which was previously common. Microsoft has strengthened Layer 7 protection measures, including adjusting the Azure Web Application Firewall (WAF) to better protect customers from DDoS-like attacks.
Microsoft also shared technical details about the attack. According to the company, threat actor Storm-1359 used a series of botnets and tools to launch an attack on the company’s servers. These tools include HTTP(S) flooding attacks that overload systems and exhaust resources through high-load SSL/TLS handshakes and HTTP(S) requests. In Microsoft’s case, the attackers sent millions of HTTP(S) requests from IP addresses around the globe, overloading the system.
Not only that, but the attackers also used caching to bypass the CDN layer and overload the original system with a series of queries. Finally, the attackers also used Slowloris, where the client requests resources from the server but fails to acknowledge receipt, forcing the server to keep the connection open and hold the resources in its memory.
Microsoft assesses that Storm-1359 has access to a range of botnets and tools that enable threat actors to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be focused on disruption and propaganda.
Microsoft concluded the post with a series of tips and recommendations for Azure customers to protect them from Layer 7 DDoS attacks in the future. However, the company did not disclose details related to the damage or any financial impact as a result of the attack.