According to Microsoft, the threat actor known as Storm-1977 has been carrying out password spraying attacks against cloud tenants in the education sector for the past year.
The Microsoft Threat Intelligence team has analyzed the attack, which involves the use of a Command Line Interface (CLI) tool called AzureChecker.exe, a tool used by various threat actors.
It was observed that the binary connects to an external server named “sac-auth.nodefunction[.]vip” to retrieve AES-encrypted data containing a list of password spray targets.
The tool also accepts a text file called “accounts.txt” as input, which includes username and password combinations used for the password spray attack.
The threat actor uses the information from both files to post credentials to the target tenants for validation, as stated by Microsoft.
In a successful instance of account compromise, the threat actor exploited a guest account to create a resource group within the compromised subscription.
The attackers then created over 200 containers within the resource group, aiming to conduct illicit cryptocurrency mining.
Microsoft noted that containerized assets like Kubernetes clusters, container registries, and images are susceptible to various attacks, including:
- Using compromised cloud credentials to facilitate cluster takeover
- Exploiting container images with vulnerabilities and misconfigurations for malicious actions
- Taking advantage of misconfigured management interfaces to access the Kubernetes API and deploy malicious containers or hijack the entire cluster
- Targeting nodes running vulnerable code or software
To prevent such malicious activities, organizations are advised to secure container deployment and runtime, monitor unusual Kubernetes API requests, configure policies to prevent containers from being deployed from untrusted registries, and ensure that the images being deployed in containers are free from vulnerabilities.
