Storm-1977 Targets Education Sector with Password Spraying, Microsoft Warns
Microsoft has issued a warning about the growing threat of Storm-1977, a malicious actor that has been targeting cloud tenants in the education sector through password spraying attacks. Over the past year, Microsoft Threat Intelligence researchers have been monitoring the activities of this threat actor, who uses AzureChecker.exe to launch these sophisticated attacks.
AzureChecker.exe is a Command Line Interface (CLI) tool that allows the threat actor to connect to sac-auth[.]nodefunction[.]vip to download AES-encrypted data. This encrypted data reveals password spray targets, which are then used by the threat actor to validate credentials against target tenants. Additionally, AzureChecker.exe accepts an accounts.txt file containing username and password pairs, using both datasets to launch targeted attacks.
One successful account breach was observed where a threat actor used a guest account to create a resource group and over 200 containers for cryptomining. This highlights the severity of the threats posed by Storm-1977 and emphasizes the need for organizations to take immediate action to protect their cloud assets.
The Risks Facing Containerized Assets
Microsoft points out that containerized assets like Kubernetes clusters, workloads, and registries face numerous risks. To secure these assets, organizations must prioritize protection of containers, code, dependencies, CI/CD pipelines, and runtime environments. Key threats include:
- Compromised accounts from leaked credentials;
- Vulnerable or misconfigured images;
- Environment misconfigurations exposing APIs;
- App-level attacks like SQL injection and XSS;
- Node-level attacks and pod escapes;
- Unauthorized traffic due to insecure networking.
By understanding these risks and taking proactive measures, organizations can reduce the likelihood of a successful attack by Storm-1977. It is essential for cloud tenants in the education sector to stay vigilant and ensure that their security posture is robust against this emerging threat.
Stay Informed
If you want to stay up-to-date on the latest cybersecurity threats and trends, follow me on Twitter: @securityaffairs and Facebook and Mastodon for exclusive updates and insights.