Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Azure Attack. Show all posts

Thai Gambling SEO Poisoning Campaign Compromises 163 Organizations Through Abandoned DNS Records

 

Surprisingly, a major SEO poisoning effort tied to Thai gambling networks has breached 163 groups in over thirty nations - leveraging outdated cloud DNS setups. Forgotten domain name system delegations were seized by hackers, according to findings from Cyble's research team. These compromised entries then hosted gambling sites in Thai, piggybacking on legitimate corporate web addresses. Government bodies faced risks alongside hospitals, banks, schools, and essential service providers. The attack spanned industries once thought too secure for such oversights. 

Abandoned Azure DNS zone delegations form the main focus of this attack method. Companies shutting down cloud initiatives often leave DNS entries intact by mistake. These lingering records catch the attention of hackers looking for weaknesses. Under their own accounts, attackers rebuild the forgotten zones once tied to those domains. Control shifts to them without immediate detection. What follows is silent redirection through seemingly valid subdomains. Users encounter harmful material believing it trustworthy. 

Search systems treat the pages as genuine due to unchanged domain signals. Browsers show no warnings because technical checks pass unnoticed. Oversight at decommissioning enables this entire chain. One way hackers operated involved deploying a gambling toolkit based on Next.js, protected by real Let’s Encrypt wildcard certificates. Security systems often overlook such threats since the pages appear under trusted corporate domains carrying proper encryption credentials. When analysts reviewed the situation, they discovered most targets - 161 out of 163 - were still infiltrated. 

What made detection hard was not just the tech used, but how convincingly it mimicked authorized web traffic. Unusual DNS patterns in a Verizon subdomain initially drew attention to the campaign. Over 1,000 subdomains were found serving Thai gambling content - each packed with referral links meant to earn signup-based payouts. Identical code markers tied these sites together: matching Next.js build IDs, favicons, and redirect paths showed up repeatedly. Investigations then revealed similar setups spread across 162 separate entities. Where one breach ended, another began; nearly all of them echoed the same digital fingerprints. Four main tactics powered the attacks, analysis showed. 

Most frequent: hijacking Azure DNS zones - over 150 groups impacted. Some breaches emerged from unused DigitalOcean domains; two companies fell victim this way. Misconfigured wildcards redirected data flow in separate cases, benefiting hostile servers. On its own track, Verizon's setup hosted a surge of deceptive A-records, exceeding one thousand entries. Certificate transparency logs show certain unused domains stayed dormant for long periods prior to being hijacked. One example involves a drug maker's subdomain, which saw zero valid certificate issuance past 2019 - then suddenly received a fresh certificate issued by adversaries in April 2026. 

Among the sites involved were ibiza99.autos, big888.store, seven77.click, and link99.nova555.rest, each tied to affiliate systems bringing in income. Hidden behind them sat a network of 103 machines based in Hong Kong, discovered by analysts who noticed uniform admin software, matching security credentials, along with mirrored setup patterns across every server. Not one alert was raised before the breach exposed weak spots in basic domain setups. 

A closer look shows outdated links lingering long after they should have been dropped. These loose ends give attackers room to move without detection. Monitoring public logs might catch early signs of misuse, though many teams skip this step. Old ties to cloud services often stay active, quietly inviting abuse. When ignored, such gaps let criminals twist legitimate sites toward shady goals. Routine checks could block these paths, yet few organizations follow through consistently.

Aisuru Botnet Launches 15.72 Tbps DDoS Attack on Microsoft Azure Network

 

Microsoft has reported that its Azure platform recently experienced one of the largest distributed denial-of-service attacks recorded to date, attributed to the fast-growing Aisuru botnet. According to the company, the attack reached a staggering peak of 15.72 terabits per second and originated from more than 500,000 distinct IP addresses across multiple regions. The traffic surge consisted primarily of high-volume UDP floods and was directed toward a single public-facing Azure IP address located in Australia. At its height, the attack generated nearly 3.64 billion packets per second. 

Microsoft said the activity was linked to Aisuru, a botnet categorized in the same threat class as the well-known Turbo Mirai malware family. Like Mirai, Aisuru spreads by compromising vulnerable Internet of Things (IoT) hardware, including home routers and cameras, particularly those operating on residential internet service providers in the United States and additional countries. Azure Security senior product marketing manager Sean Whalen noted that the attack displayed limited source spoofing and used randomized ports, which ultimately made network tracing and provider-level mitigation more manageable. 

The same botnet has been connected to other record-setting cyber incidents in recent months. Cloudflare previously associated Aisuru with an attack that measured 22.2 Tbps and generated over 10.6 billion packets per second in September 2025, one of the highest traffic bursts observed in a short-duration DDoS event. Despite lasting only 40 seconds, that incident was comparable in bandwidth consumption to more than one million simultaneous 4K video streams. 

Within the same timeframe, researchers from Qi’anxin’s XLab division attributed another 11.5 Tbps attack to Aisuru and estimated the botnet was using around 300,000 infected devices. XLab’s reporting indicates rapid expansion earlier in 2025 after attackers compromised a TotoLink router firmware distribution server, resulting in the infection of approximately 100,000 additional devices. 

Industry reporting also suggests the botnet has targeted vulnerabilities in consumer equipment produced by major vendors, including D-Link, Linksys, Realtek-based systems, Zyxel hardware, and network equipment distributed through T-Mobile. 

The botnet’s growing presence has begun influencing unrelated systems such as DNS ranking services. Cybersecurity journalist Brian Krebs reported that Cloudflare removed several Aisuru-controlled domains from public ranking dashboards after they began appearing higher than widely used legitimate platforms. Cloudflare leadership confirmed that intentional traffic manipulation distorted ranking visibility, prompting new internal policies to suppress suspected malicious domain patterns. 

Cloudflare disclosed earlier this year that DDoS attacks across its network surged dramatically. The company recorded a 198% quarter-to-quarter rise and a 358% year-over-year increase, with more than 21.3 million attempted attacks against customers during 2024 and an additional 6.6 million incidents directed specifically at its own services during an extended multi-vector campaign.

Microsoft’s Security Practices Under Fire: Is the Azure Platform Safe

Microsoft Azure

Allegations against Microsoft’s security practices

Microsoft has recently come under fire for its security practices, with critics claiming that the Azure platform is “worse than you think.” According to an article on TechSpot, Tenable CEO Amit Yoran has criticized Microsoft for its lax security practices and lack of transparency regarding breaches. He asserts that the Azure platform harbors serious vulnerabilities, about which Microsoft has deliberately kept its customers in the dark.

This is not the first time Microsoft has faced criticism for its security practices. In the past, the company has been accused of failing to protect user data adequately and of not being transparent about data breaches. In this case, Yoran claims that Microsoft needs to be more forthcoming about the extent of the vulnerabilities present in the Azure platform.

Implications for customers

The implications of these allegations are profound. If true, it would mean that Microsoft has knowingly put its customers at risk by failing to disclose vulnerabilities in its platform. This could expose sensitive data to hackers and other malicious actors, putting individuals and organizations at risk.

It is important to note that these allegations have not been proven and that Microsoft has not yet responded. However, if authentic, it would represent a significant breach of trust between Microsoft and its customers. Companies rely on cloud platforms like Azure to store and manage their data, and they expect these platforms to be secure and transparent about any potential risks.

Evaluating cloud security

In light of these allegations, it is essential for companies to evaluate their use of cloud platforms carefully and to ensure that they are taking appropriate measures to protect their data. This may include using additional security measures such as encryption and multi-factor authentication and regularly reviewing their cloud provider’s security practices.

The recent allegations against Microsoft regarding its security practices and the Azure platform are concerning. If true, they represent a significant breach of trust between Microsoft and its customers. It is essential for companies to evaluate their use of cloud platforms carefully and to take appropriate measures to protect their data.