Full Report
Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year. "The attack involves the use of AzureChecker.exe, a Command Line Interface (CLI) tool that is being used by a wide range of threat actors," the Microsoft Threat Intelligence team said in an analysis. The tech giant noted that
Analysis Summary
# Threat Actor: Storm-1977
## Attribution & Identity
The threat actor is tracked by Microsoft as **Storm-1977**. No specific attribution or known aliases beyond this tracking designation are provided in the article.
## Activity Summary
Storm-1977 has been observed conducting operations targeting cloud tenants, specifically within the **education sector**, over the past year. The primary activity detailed involves using compromised credentials to gain access and subsequently deploying cryptocurrency mining infrastructure within cloud environments. In one observed instance, the actor used a compromised guest account to create a resource group and deploy **over 200 containers** for illicit cryptocurrency mining.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Conducted **password spraying attacks** against cloud tenants.
- **Credential Access:** Utilized a custom Command Line Interface (CLI) tool, **AzureChecker.exe**, to facilitate authentication attempts.
- **C2 Communication:** AzureChecker.exe connects to an external server, "sac-auth[.]nodefunction\[.\]vip", to retrieve an AES-encrypted data payload containing target lists.
- **Lateral Movement/Impact:** Leveraged a successful login (via a guest account in one case) to create a new **resource group** within the compromised Azure subscription.
- **Persistence/Impact:** Deployed **200+ containers** aimed at cryptocurrency mining activities.
## Targeting
- **Sectors:** Education sector.
- **Geography:** Not specified, but targeting is focused on cloud infrastructure (likely Azure).
- **Victims:** Cloud tenants within the education sector.
## Tools & Infrastructure
- **Malware families used:** **AzureChecker.exe** (CLI tool).
- **Infrastructure (C2, domains, IPs):**
- C2 Domain: `sac-auth.nodefunction[.]vip`
- Input file used by attacker: `accounts.txt` (containing username/password combinations).
## Implications
Storm-1977 presents a persistent financial motivation threat targeting high-volume cloud environments like the education sector. Their method focuses on broad credential attacks (password spraying) followed by opportunistic resource hijacking for crypto-mining. The successful deployment of hundreds of containers shows a capability to rapidly weaponize compromised cloud access for significant resource abuse.
## Mitigations
- Secure container deployment and runtime environments.
- Monitor for unusual Kubernetes API requests.
- Configure policies to prevent deployment of containers from untrusted registries.
- Ensure container images deployed are free from vulnerabilities.
- Harden access controls to prevent successful password spraying attacks and secure guest account permissions.