Microsoft has recently identified a series of cyberattacks targeting cloud environments within the education sector, orchestrated by a threat actor designated as Storm-1977. These attacks, spanning the past year, have primarily utilized a technique known as password spraying to gain unauthorized access to cloud tenants.
Understanding Password Spraying
Password spraying is a method where attackers attempt to access numerous accounts by systematically trying common passwords. Unlike traditional brute-force attacks that target a single account with multiple password attempts, password spraying spreads these attempts across many accounts, reducing the likelihood of detection and account lockouts.
The Role of AzureChecker.exe
Central to these attacks is the deployment of AzureChecker.exe, a Command Line Interface (CLI) tool. Microsoft’s Threat Intelligence team has observed that this tool connects to an external server, sac-auth.nodefunction[.]vip, to retrieve AES-encrypted data containing a list of targets for the password spray attack. Additionally, AzureChecker.exe utilizes an input file named accounts.txt, which includes various username and password combinations. The tool then systematically attempts to validate these credentials against the targeted cloud tenants.
Exploitation of Compromised Accounts
In instances where the password spraying is successful, Storm-1977 has been observed leveraging compromised accounts to further their objectives. Notably, the attackers have utilized guest accounts to create new resource groups within the breached cloud subscriptions. Within these resource groups, they have deployed over 200 containers, primarily for illicit cryptocurrency mining activities.
Risks Associated with Containerized Assets
The exploitation of containerized assets, such as Kubernetes clusters and container registries, presents significant security challenges. Attackers can exploit these assets through various means, including:
– Compromised Cloud Credentials: Gaining unauthorized access to cloud environments to take control of Kubernetes clusters.
– Vulnerable Container Images: Deploying containers with known vulnerabilities or misconfigurations to execute malicious actions.
– Misconfigured Management Interfaces: Accessing the Kubernetes API via poorly configured interfaces to deploy malicious containers or hijack entire clusters.
– Exploiting Vulnerable Nodes: Targeting nodes running outdated or vulnerable software to gain control over the containerized environment.
Mitigation Strategies
To defend against such sophisticated attacks, organizations, especially within the education sector, should implement comprehensive security measures:
1. Secure Container Deployment and Runtime: Ensure that all containers are deployed following best security practices, including the use of trusted images and regular updates.
2. Monitor Kubernetes API Requests: Continuously monitor for unusual or unauthorized API requests that could indicate malicious activity.
3. Implement Strict Access Controls: Configure policies to prevent the deployment of containers from untrusted registries and ensure that only authorized personnel have access to critical resources.
4. Regular Vulnerability Assessments: Conduct periodic assessments to identify and remediate vulnerabilities within container images and the broader cloud infrastructure.
5. Educate and Train Staff: Provide ongoing training to staff about the risks of password spraying and other common attack vectors to enhance the organization’s overall security posture.
By adopting these strategies, educational institutions can bolster their defenses against the evolving threats posed by actors like Storm-1977, safeguarding their cloud environments from unauthorized access and exploitation.
