Full Report
In the past year Microsoft observed AzureChecker(Storm-1977) launching password spray attacks, against cloud tenants in the education sector. The actor used AzureChecker.exe (CLI tool that is being used by a wide range of actors)
Analysis Summary
# Threat Actor: AzureChecker (Storm-1977)
## Attribution & Identity
* **Identification:** AzureChecker (also tracked as Storm-1977).
* **Aliases:** The report notes the actor used `AzureChecker.exe`, which is a CLI tool utilized by a wide range of actors, suggesting this actor might be opportunistic or using widely available tooling.
## Activity Summary
Over the past year, Storm-1977 has been observed executing password spray attacks specifically targeting cloud tenants within the education sector. A successful compromise led to the actor leveraging breached cloud credentials to establish a significant cryptomining operation, evidenced by the creation of over 200 containers.
## Tactics, Techniques & Procedures
* **Initial Access:** Password spraying attacks against cloud tenants.
* **Credential Stuffing/Testing:** Used a combination of internal lists and an external file (`accounts.txt`) containing username/password combinations for spraying.
* **Data Retrieval:** Downloaded a hidden (encrypted) file from a remote server to obtain target account lists.
* **Impact:** Resource hijacking (Cryptomining).
## Targeting
* **Sectors:** Education sector.
* **Geography:** Not explicitly mentioned in the provided context, but focusing on cloud tenants.
* **Victims:** Cloud tenants within the education sector.
## Tools & Infrastructure
* **Malware Families Used:** AzureChecker.exe (CLI tool).
* **Infrastructure (C2, domains, IPs):**
* Remote server utilized for staging encrypted data: `s_ac-auth[.]nodefunction[.]vip` (defanged).
## Implications
Storm-1977 presents a direct threat to cloud environments, specifically leveraging commodity username/password lists to gain initial access. The immediate impact of successful compromise extends beyond credential theft to resource highjacking, resulting in significant infrastructure abuse (e.g., cryptomining operations using hundreds of containers).
## Mitigations
* Implement robust Multi-Factor Authentication (MFA) across all cloud accounts, especially guest users.
* Monitor for anomalous mass login attempts characteristic of password spraying.
* Implement strong baseline policies to limit the creation of excessive, unexpected resources (e.g., rate limiting container deployments or resource group creation).
* Monitor for remote file downloads or executions of common utility tools like `AzureChecker.exe`.