Microsoft Analyzes Cyberattacks That Disrupted Services

Microsoft Security Response Center (MSRC) has released a detailed analysis of the cyberattacks that crippled online services earlier this month. The response describes a series of Layer 7 distributed denial-of-service (DDoS) attacks launched by a threat actor Microsoft calls Storm-1359.

What Happened?

According to Microsoft, the Layer 7 DDoS attacks disrupted the company’s most popular services, including Azure, Outlook and OneDrive. A “Layer 7” attack is a form of DDoS that targets the application layer of the internet protocol suite. The attack vector uses a large number of requests to overwhelm the application layer and cause service interruptions or outages.
Microsoft has determined that Storm-1359 has access to a large collection of botnets and tools. This would allow the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be targeting disruption and publicity, MSRC said.

Preventing Future Disruptions

The DDoS attack first targeted the Outlook.com web portal on June 7. Next, the attackers moved to OneDrive on June 8, followed by the Microsoft Azure Portal on June 9. MSRC says Storm-1359’s attack methods include HTTP(S) flood attacks, cache bypass and Slowloris, each designed to flood a web service’s available connections, preventing it from serving new requests.
Following the attacks, Microsoft launched a detailed investigation and took steps to mitigate or prevent future attacks.
“This recent DDoS activity has targeted layer 7 rather than layer 3 or 4,” explains MSRC. Microsoft says it has “strengthened” layer 7 protections, including tuning Azure Web Application Firewall (WAF) to better protect customers against the impact of similar DDoS attacks. While these tools and techniques are highly effective in mitigating the majority of disruptions, Microsoft consistently assesses the performance of its hardening capabilities and incorporates the lessons learned in refining and improving their effectiveness.
While the attackers disrupted services, they left customer data untouched, Microsoft said. “We have seen no evidence that customer data has been accessed or compromised,” the response read.

Microsoft Analyzes Cyberattacks That Disrupted Services

Microsoft Security Response Center (MSRC) has released a detailed analysis of the cyberattacks that crippled online services earlier this month. The response describes a series of Layer 7 distributed denial-of-service (DDoS) attacks launched by a threat actor Microsoft calls Storm-1359.

What Happened?

According to Microsoft, the Layer 7 DDoS attacks disrupted the company’s most popular services, including Azure, Outlook and OneDrive. A “Layer 7” attack is a form of DDoS that targets the application layer of the internet protocol suite. The attack vector uses a large number of requests to overwhelm the application layer and cause service interruptions or outages.
Microsoft has determined that Storm-1359 has access to a large collection of botnets and tools. This would allow the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be targeting disruption and publicity, MSRC said.
The DDoS attack first targeted the Outlook.com web portal on June 7. Next, the attackers moved to OneDrive on June 8, followed by the Microsoft Azure Portal on June 9. MSRC says Storm-1359’s attack methods include HTTP(S) flood attacks, cache bypass and Slowloris, each designed to flood a web service’s available connections, preventing it from serving new requests.

Preventing Future Disruptions

Microsoft launched a detailed investigation and took steps to mitigate or prevent future attacks.
“This recent DDoS activity has targeted layer 7 rather than layer 3 or 4,” explains MSRC. Microsoft says it has “strengthened” layer 7 protections, including tuning Azure Web Application Firewall (WAF) to better protect customers against the impact of similar DDoS attacks. While these tools and techniques are highly effective in mitigating the majority of disruptions, Microsoft consistently assesses the performance of its hardening capabilities and incorporates the lessons learned in refining and improving their effectiveness.
The early June incidents caused some service interruptions, but Microsoft says no customer data was compromised. While the attackers disrupted services, they left customer data untouched, Microsoft said. “We have seen no evidence that customer data has been accessed or compromised,” the response read.

Microsoft Analyzes Cyberattacks That Disrupted Services

Microsoft Security Response Center (MSRC) has released a detailed analysis of the cyberattacks that crippled online services earlier this month. The response describes a series of Layer 7 distributed denial-of-service (DDoS) attacks launched by a threat actor Microsoft calls Storm-1359.

What Happened?

According to Microsoft, the Layer 7 DDoS attacks disrupted the company’s most popular services, including Azure, Outlook and OneDrive. A “Layer 7” attack is a form of DDoS that targets the application layer of the internet protocol suite. The attack vector uses a large number of requests to overwhelm the application layer and cause service interruptions or outages.
Microsoft has determined that Storm-1359 has access to a large collection of botnets and tools. This would allow the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. Storm-1359 appears to be targeting disruption and publicity, MSRC said.
The DDoS attack first targeted the Outlook.com web portal on June 7. Next, the attackers moved to OneDrive on June 8, followed by the Microsoft Azure Portal on June 9. MSRC says Storm-1359’s attack methods include HTTP(S) flood attacks, cache bypass and Slowloris, each designed to flood a web service’s available connections, preventing it from serving new requests.

Preventing Future Disruptions

Microsoft launched a detailed investigation and took steps to mitigate or prevent future attacks.
“This recent DDoS activity has targeted layer 7 rather than layer 3 or 4,” explains MSRC. Microsoft says it has “strengthened” layer 7 protections, including tuning Azure Web Application Firewall (WAF) to better protect customers against the impact of similar DDoS attacks. While these tools and techniques are highly effective in mitigating the majority of disruptions, Microsoft consistently assesses the performance of its hardening capabilities and incorporates the lessons learned in refining and improving their effectiveness.
The early June incidents caused some service interruptions, but Microsoft says no customer data was compromised. While the attackers disrupted services, they left customer data untouched, Microsoft said. “We have seen no evidence that customer data has been accessed or compromised,” the response read.
Microsoft’s response to the cyberattacks is a testament to the company’s commitment to protecting its customers’ data and ensuring the security of its services. Microsoft has implemented a number of measures to protect against future DDoS attacks, including strengthening layer 7 protections, tuning Azure Web Application Firewall (WAF), and assessing the performance of its hardening capabilities.
These measures have been effective in mitigating the majority of disruptions, and Microsoft is continuously working to refine and improve their effectiveness. Microsoft has also seen no evidence that customer data has been accessed or compromised during the attacks.
Microsoft’s response to the cyberattacks is a reminder that companies must remain vigilant in protecting their data and services. Companies should consider implementing measures such as strengthening layer 7 protections, tuning Azure Web Application Firewall (WAF), and assessing the performance of their hardening capabilities to protect against future DDoS attacks. Additionally, companies should regularly assess their security posture to ensure their data remains secure.