Cyber Security Threat Summary:
“Outlook.com is suffering a series of outages today after being down multiple times yesterday, with hacktivists known as Anonymous Sudan claiming to perform DDoS attacks on the service. This outage follows two major outages yesterday, creating widespread disruptions for global Outlook users, preventing users worldwide from reliably accessing or sending email and using the mobile Outlook app. Outlook users have taken to Twitter to complain about the spotty email service, stating that it is affecting their productivity. Microsoft says these outages are caused by a technical issue, posting to Twitter a series of updates switching between saying they mitigated the issues and saying that the problem is happening again. ‘We've identified that the impact has started again, and we're applying further mitigation,’ tweeted Microsoft” (Bleeping Computer, 2023).

Although Microsoft said the outages were due to a technical issue, Anonymous Sudan claims to have been responsible, stating on Telegram that they are performing the DDoS attacks on Microsoft in retaliation for the US getting involved in Sudanese internal affairs.

“We can target any US company we want. Americans, do not blame us, blame your government for thinking about intervening in Sudanese internal affairs. We will continue to target large US companies, government and infrastructure,” posted the group on Telegram.

Security Officer Comments:
Anonymous Sudan says that they are targeting the main URL for the Outlook.com web service, “https[:}outlook[.]live[.]com/mail/0./” Though Microsoft has yet to verify these claims, its web service has suffered from a series of outages in the past couple of days.

“Our telemetry indicates that the service has remained largely stable; however, the incident is not fully resolved. We're broadening our mitigation strategy and will continue to intervene immediately should we detect further reductions in the availability of our services,” noted Microsoft in a post on Twitter.

Suggested Correction(s):
DDoS attacks are difficult to defend against as legitimate vs illegitimate packets are hard to distinguish between. Typical DDoS attacks will either abuse bandwidth or applications.

There are various methods of defending against DDoS attacks.

Sinkholing: In this approach, all traffic is diverted to a “sink hole” where it is discarded. The problem with this method is that both good and bad traffic is removed, and the business loses actual customers.

Routers and firewalls: Routers can be used to stop attacks by filtering nonessential protocols and invalid IP addresses, but when a botnet is using a spoofed IP address, this makes the filtering process worthless. Firewalls also have difficulties when actual IP addresses are spoofed.

Intrusion-detection systems: These solutions can leverage machine learning to recognize patterns to automatically block traffic through a firewall. These technologies are not always automated and may require fine tuning to avoid false positives.

DDoS mitigation appliances: Various vendors make devices designed to sanitize traffic through load balancing and firewall blocking. Organizations have had varying levels of success with such products, some legitimate traffic will get blocked, and some bad traffic will still get through.

Over-provisioning: Some organizations choose to leverage extra bandwidth to handle sudden spikes in traffic during a DDoS attack. This bandwidth is often outsourced to a service provider who can pick up the bandwidth during an attack. As attacks grow larger, this mitigation technique may become more expensive and less viable.

More information on DDoS Attacks by CISA: https://us-cert.cisa.gov/ncas/tips/ST04-015

Link(s):
https://www.bleepingcomputer.com/