Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year.
“The attack involves the use of AzureChecker.exe, a Command Line Interface (CLI) tool that is being used by a wide range of threat actors,” the Microsoft Threat Intelligence team said in an analysis.
The tech giant noted that it observed the binary to connect to an external server named “sac-auth.nodefunction[.]vip” to retrieve an AES-encrypted data that contains a list of password spray targets.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The tool also accepts as input a text file called “accounts.txt” that includes the username and password combinations to be used to carry out the password spray attack.
“The threat actor then used the information from both files and posted the credentials to the target tenants for validation,” Microsoft said.
In one successful instance of account compromise observed by Redmond, the threat actor is said to have taken advantage of a guest account to create a resource group within the compromised subscription.
The attackers then created more than 200 containers within the resource group with the ultimate goal of conducting illicit cryptocurrency mining.
Microsoft said containerized assets, such as Kubernetes clusters, container registries, and images, are liable to various kinds of attacks, including using –
- Compromised cloud credentials to facilitate cluster takeover
- Container images with vulnerabilities and misconfigurations to carry out malicious actions
- Misconfigured management interfaces to gain access to the Kubernetes API and deploy malicious containers or hijack the entire cluster
- Nodes that run on vulnerable code or software
To mitigate such malicious activities, organizations are advised to secure container deployment and runtime, monitor unusual Kubernetes API requests, configure policies to prevent containers from being deployed from untrusted registries and ensure that the images being deployed in containers are free from vulnerabilities.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
ToyMaker Uses LAGTOY to Sell Access to CACTUS Ransomware Gangs for Double Extortion