Microsoft has disclosed that an entity known as Storm-1977 has been executing password spraying attacks on cloud tenants in the education sector over the past year.
“The attack involves the utilization of AzureChecker.exe, a Command Line Interface (CLI) tool employed by multiple threat actors,” stated the Microsoft Threat Intelligence team in an analysis.
The company observed the binary connecting to an external server named “sac-auth.nodefunction[.]vip” to obtain AES-encrypted data containing a list of password spray targets.
The tool also requires a text file named “accounts.txt” with username and password combinations for the password spray attack.
“The threat actor then utilized information from both files to submit credentials to the target tenants for validation,” Microsoft explained.
In a successful account compromise incident witnessed by Redmond, the threat actor exploited a guest account to establish a resource group within the compromised subscription.
The attackers proceeded to create over 200 containers within the resource group with the aim of engaging in illicit cryptocurrency mining.
Microsoft emphasized that containerized assets like Kubernetes clusters, container registries, and images are susceptible to various types of attacks, including –
- Exploiting compromised cloud credentials for cluster takeover
- Utilizing container images with vulnerabilities and misconfigurations for malicious activities
- Exploiting misconfigured management interfaces to access the Kubernetes API and deploy malicious containers or take control of the entire cluster
- Targeting nodes running on vulnerable code or software
To counter such malicious actions, organizations are urged to secure container deployment and runtime, monitor unusual Kubernetes API requests, establish policies to prevent deployment of containers from untrusted registries, and ensure vulnerability-free images deployed in containers.
