Our previous article about: Types of Cyber Attacks: DDoS Attacks. We are highlighting it again due to the recent Microsoft outages in June which may have affected some of our customers.
Microsoft has recently confirmed that a number of outages to its services in June were due to DDos attacks. Early in June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability.
The outages were with Microsoft Outlook, Azure and OneDrive.
Microsoft assessed that Anonymous Sudan has access to a collection of botnets and tools that could enable the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. The DDoS attacks on Microsoft targeted Layer 7, which is when the threat actors target the application level by overwhelming services with a massive volume of requests, causing the services to hang as they cannot process them all. This was done using several different DDoS attack methods including: HTTP (S) flood attacks, Cache bypass, and Slowloris (if interested you can read what each of these methods are in Microsoft’s blog post here)
The threat actor Anonymous Sudan was first launched in January 2023, warning that they would conduct attacks against any country that opposes Sudan (though some believe this is a false flag and the group may be linked to Russia). Since then, the group has targeted organisations and governments worldwide, either through DDoS attacks or leaking stolen data. Companies targeted have included Scandinavian Airlines, Tinder, Lyft and various US hospitals. The group demanded USD $1m from Microsoft to stop its attack.
The next area of concern is the European banking system. The cybercriminal group, along with several other Pro-Russia threat actors warned they will be jointly targeting SEPA, IBAN, WIRE, SWIFT and WISE banking transfer systems, though there is no evidence of attacks so far.Source of information: Tech Market View
Understanding and Responding to DDoS Attacks:
The Cybersecurity and Infrastructure Security Agency has help and advice about understanding and responding to a Distributed Denial-of-Service Attack. They advise the following steps before an attack (to prevent it):- Understand your critical assets and services.
- Understand how your users connect to your network.
- Enrol in a DDoS protection service.
- Understand service provider defences.
- Understand your dedicated edge network defences.
- Review system/network and eliminate single points of failure.
- Develop an organisation DDoS response plan.
- Develop and organisation DDoS business continuity plan.
- Consider how a DDoS attack will impact physical backups for your network.
- Conduct a test DDoS response plan.
Confirming a DDoS Attack:
It can be difficult to confirm a DDoS attack over high internet traffic. Things to look out for include:- Unusually slow network performance in opening files or accessing websites.
- Sluggish application performance.
- High processor and memory utilisation.
- Abnormally high network traffic.
- Unavailability or inaccessibility of websites.
Further help and guidance: NCSC Denial of Service (DoS) Guidance
What to do in the event of a cyber attack?
Tell someone! Report to IT. Report to SLT.
Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.
If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss. Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.
Isolate the infected device and pass to IT
Always ensure there are backups you can restore from.