Cybercrime group Anonymous Sudan is selling data allegedly belonging to Microsoft, but the Redmond software giant is categorical, saying there had been no breach in its system.
Earlier this week, the threat actor that’s been engaged in multiple attacks against Microsoft announced “successfully hacking Microsoft” and stealing a “large database” with more than 30 million Microsoft accounts, emails, and passwords.
This database is now offered for sale, with the going price being $50,000. The group is saying it can be contacted via the Telegram bot, where the transaction can be completed.
To prove the authenticity of its claims, the group shared a data sample, and added a disclaimer that Microsoft would probably deny losing the data. The data sample, according to BleepingComputer, includes 100 credential pairs. However, the origin of the credentials cannot be verified. They could be from a different data breach, they could be old, or taken from a third-party, rather than Microsoft itself.
It seems that Anonymous Sudan got at least one thing right, as Microsoft categorically denied having been breached. In a statement given to the media, a spokesperson for the company said the data was probably aggregated from different other sources:
“At this time, our analysis of the data shows that this is not a legitimate claim and an aggregation of data,” BleepingComputer was told. “We have seen no evidence that our customer data has been accessed or compromised,” the spokesperson added.
For now, this is all Microsoft has had to say on the matter, so we don’t know if it’s investigating any further, or how it might react if Anonymous Sudan actually releases anything more concrete.
Analysis: Why does it matter?
The database sale comes after Anonymous Sudan ran a few successful attacks against Microsoft. Roughly a month ago, it was reported that the group targeted Outlook, SharePoint Online, and OneDrive for Business with Distributed Denial of Service (DDoS) attacks, and even managed to render the service unavailable to some users for a short while.
Soon after, Microsoft also reported that OneDrive was inaccessible for some, again as a result of a DDoS attack. Anonymous Sudan was quick to take responsibility for the attack, calling the Redmond giant “liars”.
"Microsoft, you think we forgot you? We are motivated to teach you liars a very good lesson in honesty that none of your parents ever taught you," Anonymous Sudan allegedly said on Telegram. "Onedrive has been downed. Let's see your new excuse now."
A few days later, the attacks continued, with the group focusing on Azure and other services. Users looking to access Azure cloud services were met with a, “We’re working to restore all services as soon as possible” message. Besides the Azure Portal, several other Microsoft services were also affected, including the Entra Admin center and Intune.
Microsoft’s subsequent analysis of the events showed the group, which Redmond also tracks as Storm-1359, launched several types of layer 7 DDoS attacks, including an HTTP(S) flood attack which sees a high load of SSL/TLS handshakes and HTTP(S) requests cause the backend's CPU and memory to become depleted. In this instance, it is believed that millions of requests were made simultaneously.
The group also used cache bypass tactics which force the frontend layer to direct requests to the origin rather than retrieving cached contents, and slowloris, which forces a web server to keep the connection open by failing to acknowledge a download.
“These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools,” said Microsoft in the announcement.
Ultimately, while services were disrupted over the course of a series of days in early June, Microsoft says that it has “seen no evidence that customer data has been accessed or compromised.”
Anonymous Sudan describe themselves as “hacktivists”, even though they seem to be a pro-Russia group. With the group already targeting government entities in France, Denmark, and Sweden, the Sudanese gang indeed seems to be politically motivated.
What have others said about the attacks?
While some criticized large corporations for not being able to properly secure their systems, others pointed out how the asking price of the database is suspiciously low:
“$50K seems such a small amount for such valuable info,” a reader commented on the BleepingComputer article. “Sounds like trying to steal a quick buck.”
On Reddit, users are claiming the group might be Sudanese, but that it’s based in United Arab Emirates. “Hacker groups like this are mildly (sic throughout) to moderately annoying but cant/ dont want to cause permanent losses or anything.”
An article on Fortune argues that the group is not just pro-Russia, but is, in fact, Russian. “Anonymous Sudan is a Russian information operation that aims to use its Islamic credentials to be an advocate for closer cooperation between Russia and the Islamic world – always claiming that Russia is the Muslims’ friend,” Mattias Wåhlén, a threat intelligence expert with Stockholm-based Truesec, told the publication. “This makes them a useful proxy.”
Go deeper
If you want to learn more, start by learning more about Distributed Denial of Service attacks, and what the best ways to protect against DDoS are. Also, make sure to check out our guide for the best firewalls around, as well as the best endpoint protection tools.
- Check out the best ID theft protection around
Via: BleepingComputer