Microsoft has revealed that Storm-1977 has been carrying out password spray attacks on cloud tenants over the past year, so that threat actors it tracks will track them.
“Attacks include using Azurechecker.exe, a command line interface (CLI) tool used by a wide range of threat actors,” the Microsoft Threat Intelligence team said in an analysis.
Tech Giant observed the binary as it connects to an external server named “sac-auth.nodefunction(.)VIP” and noted that it retrieves AES encrypted data containing a list of password spray targets.
The tool accepts as input a text file called “accounts.txt” containing the username and password combination used to perform a password spray attack.
“The threat actors then used the information from both files and posted their credentials to the target tenant for verification,” Microsoft said.
In one successful instance of the account compromise Redmond observed, the threat actor is said to have used guest accounts to create resource groups within the compromised subscription.
The attackers then created over 200 containers within the resource group, with the ultimate goal of carrying out illegal cryptocurrency mining.
Microsoft said containerized assets such as Kubernetes clusters, container registries and images are responsible for various types of attacks, including usage.
- Breaks cloud credentials to facilitate cluster takeover
- Container images with vulnerabilities and misconceptions to perform malicious actions
- Misunderstood management interface Access Kubernetes API to deploy malicious containers or hijack the entire cluster
- Nodes that run in vulnerable code or software
To mitigate such malicious activity, organizations recommend ensuring container deployment and runtime, monitoring anomalous Kubernetes API requests, configuring policies to prevent deployment from untrusted registry, and verifying that images deployed in containers are free from vulnerabilities.
