Microsoft has revealed that a threat actor, tracked as Storm-1977, has been conducting password spraying attacks against cloud tenants in the education sector for over a year.
According to Microsoft’s Threat Intelligence team, these attacks involve the use of AzureChecker.exe, a command-line tool commonly used by various threat actors. The tool connects to an external server, sac-auth.nodefunction[.]vip, to retrieve AES-encrypted data, which contains a list of targets for the password spraying campaign.
The tool accepts input from a file, accounts.txt, which includes username and password combinations used to carry out the attack. After the attack is launched, the threat actor posts the credentials to the target tenants for validation.
In one instance, Microsoft observed a successful compromise in which the attacker used a guest account to create a resource group within the compromised subscription. They then proceeded to create over 200 containers within the group, likely with the goal of illicit cryptocurrency mining.
Microsoft emphasized the risk posed to containerized assets like Kubernetes clusters, container registries, and images. Attackers may exploit compromised credentials to hijack clusters, use vulnerable container images to perform malicious actions, or exploit misconfigured management interfaces to access and deploy malicious containers.
To prevent such attacks, Microsoft recommends securing container deployments and runtime environments, monitoring unusual Kubernetes API activity, and ensuring that only trusted container registries are used. Organizations should also verify that the images deployed in containers are free from known vulnerabilities.
