This article is more than 1 year old

'Anomalous surge in DNS queries' knocked Microsoft's cloud off the web last week

Plus: Top universities hit by data-stealing extortionists

in Brief It was a tsunami of DNS queries that ultimately took out a host of Microsoft services, from Xbox Live to Teams, for some netizens about an hour on April Fools' Day, Redmond has said.

Or as the Windows giant put it, the outage was the result of "an anomalous surge in DNS queries from across the globe targeting a set of domains hosted on Azure." In a postmortem examination of the downtime, Microsoft said the flood of requests triggered a programming flaw in its infrastructure that hampered its ability to cope with the demand:

Normally, Azure’s layers of caches and traffic shaping would mitigate this surge. In this incident, one specific sequence of events exposed a code defect in our DNS service that reduced the efficiency of our DNS Edge caches. As our DNS service became overloaded, DNS clients began frequent retries of their requests which added workload to the DNS service. Since client retries are considered legitimate DNS traffic, this traffic was not dropped by our volumetric spike mitigation systems. This increase in traffic led to decreased availability of our DNS service.

Microsoft says it has now fixed the bug "so that all requests can be efficiently handled in cache," and improved "the automatic detection and mitigation of anomalous traffic patterns."

North Koreans go after infosec bods again

In January, Google warned that suspected North Korean government cyber-spies were preying on security researchers. On Wednesday last week, it said the dastardly team was trying a new tactic.

The web giant's Threat Analysis Group said it had detected in March a bogus security company SecuriElite reaching out to legit professionals via social media, such as LinkedIn and Twitter.

"Like previous websites we’ve seen set up by this actor, this website has a link to their PGP public key at the bottom of the page," the Google analysts said. "In January, targeted researchers reported that the PGP key hosted on the attacker’s blog acted as the lure to visit the site where a browser exploit was waiting to be triggered."

Going after security investigators is a high-risk/high-reward endeavor. On the one hand, they are more likely to be careful about possible dangers, but you only have to make one mistake and then there's a host of vulnerability and exploit research material and contacts to be harvested from your compromised victim. With Google's latest warning, it's time to set shields to maximum if not already.

Microsoft sets new baseline for 365 enterprise apps

Admins with a Windows-heavy focus might want to check out the latest Redmond missive on planned security changes for Microsoft 365 apps in the forthcoming version 2103.

While these are draft proposals at the moment, they are going to cause some disruption. Dynamic Data Exchange for Excel is out across the board, JScript execution for Office is going to come under tighter lockdown to avoid the execution of arbitrary code, and there's more action against macros.

Defender's also toughening its stance on dodgy-looking documents, which has led to some false positive problems in the past. So check out the specs, and make views known – maybe Microsoft will listen.

DeepDotWeb admin pleads guilty

An IT admin who ran operations for DeepDotWeb – a portal that pointed netizens at dark web marketplaces selling malware, guns, and drugs – pleaded guilty to money laundering charges this month.

Tal Prihar, 37, an Israeli citizen living in Brazil, set up the DeepDotWeb portal in October 2013 with co-defendant Michael Phan, 34, of Israel, and while they didn't deal in illegal goods personally, they linked to those who did, and received $8.4m in kickbacks to promote certain dodgy sites, prosecutors said. The portal was taken down in May 2019 after a combined operation by Europol, and Israeli and US law enforcement.

"For six years, DeepDotWeb was a gateway to facilitate the illegal purchase of items to include dangerous drugs, weapons, and malicious software,” said Acting Special Agent in Charge Carlton Peeples of the FBI’s Pittsburgh Field Office. “Prihar profited as a byproduct from other people’s dangerous transactions and today’s guilty plea sends a message to other cyber actors across the globe who think the dark web is a safe haven."

Prihar has agreed to forfeit $8,414,173 in funds, and will be sentenced in August. Phan's case is pending.

Accellion hack just keeps on going: top-flight universities ransacked

Some of America's most technologically advanced halls of learning have been hit by extortionists who cruise the internet exploiting vulnerable deployments of the Accellion file-transfer software to steal organizations' internal secrets and other data. The Clop crooks, which have hit governments and big biz, then demand payment to keep a lid on the purloined records.

Stanford, the University of California, including UC Berkeley, and others have had personal information stolen. Gigabytes of stolen data has been uploaded to the dark web to encourage the colleges to pay a ransom to prevent all of the data from being dumped online. Students are also being harassed by the extortionists via email.

"We believe the person(s) behind this attack are sending threatening mass emails to members of the UC community in an attempt to scare people into giving them money. The message states: 'Your personal data has been stolen and will be published,'" said UC Davis.

The universities are advising the usual measures: password changes, multifactor authentication, and credit checks.

Fortinet software stalked by snoops

The FBI and America's Cybersecurity and Infrastructure Security Agency (CISA) rounded off last week with a warning [PDF] on Friday that installations of Fortinet's FortiOS SSL VPN portal were being actively probed for unpatched security flaws by top-tier miscreants, known in industry jargon as an advanced persistent threat (APT). The snoops seem to be hoping to exploit bugs assigned CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591, we're told. Patches have been available for these holes for a long while, and should be installed by now.

"It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks," the agencies said.

"The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks."

US Homeland Security warned about the exploitation of the key Fortinet flaw, CVE 2018-13379, in December. We're told the attackers are chaining that flaw with an LDAP impersonation vulnerability (CVE-2019-5591) and an authentication bypass (CVE-2020-12812) to infiltrate networks. ®

More about


Send us news

Other stories you might like