Microsoft Uncovers Password Spraying Campaign Targeting Cloud Tenants in Education Sector

Microsoft has disclosed new details about a cyber campaign targeting cloud-based infrastructure within the education sector. The attack, attributed to a threat actor tracked as Storm-1977, leveraged password spraying techniques to compromise cloud tenants over the past year.

Attack Methodology: Use of AzureChecker.exe

At the heart of the campaign is AzureChecker.exe, a Command Line Interface (CLI) tool. According to Microsoft Threat Intelligence, AzureChecker.exe is being actively exploited by a wide range of threat actors for reconnaissance and credential validation attacks.

Microsoft observed that the tool connects to an external server, "sac-auth.nodefunction[.]vip," to retrieve an AES-encrypted dataset containing a list of potential password spray targets.

The attack methodology involves:

• Accepting an input file titled "accounts.txt" containing username and password combinations.

• Using the encrypted data and the accounts list to perform automated password spraying against cloud tenants.

Password spraying is a type of brute-force attack where the attacker tries common passwords across many accounts rather than attempting multiple passwords for a single account, reducing the chance of immediate detection.

Successful Compromise and Abuse of Resources

In one notable incident, the attackers successfully compromised an account with guest privileges. Using this access, they escalated their attack by:

• Creating a new resource group within the compromised subscription.

• Deploying over 200 containers within the newly created resource group.

The primary objective of these containers was illicit cryptocurrency mining, leveraging the cloud tenant’s computing resources to mine digital currency without the organization’s consent or knowledge.

Broader Risks to Containerized Environments

Microsoft emphasized that containerized assets, such as Kubernetes clusters, container registries, and container images, are highly vulnerable if not properly secured. Potential risks include:

• Cluster Takeover: Using compromised cloud credentials to seize control over container environments.

• Exploiting Vulnerable Images: Deploying containers from images that contain unpatched vulnerabilities or poor configurations.

• Misconfigured Management Interfaces: Gaining unauthorized access to Kubernetes APIs, enabling attackers to deploy malicious containers or even hijack entire clusters.

• Exploiting Node Vulnerabilities: Targeting nodes running outdated or vulnerable software.

Best Practices for Defending Against Cloud-Based Threats

Organizations, especially those operating in sectors like education, are encouraged to implement strong defenses to mitigate the risks associated with password spraying and container exploitation. Recommended measures include:

• Securing Container Deployment and Runtime: Enforce strong authentication and authorization protocols for container management and access.

• Monitoring Kubernetes API Activity: Set up logging and alerting to detect unusual or suspicious API requests.

• Restricting Image Sources: Configure policies to prevent the deployment of containers from untrusted registries.

• Ensuring Image Security: Regularly scan container images for vulnerabilities before deployment.

• Enabling Multi-Factor Authentication (MFA): Protect cloud accounts by requiring a second authentication factor beyond just a password.

Conclusion: An Evolving Threat Landscape

The Storm-1977 campaign highlights how even basic vulnerabilities — like weak passwords — can lead to serious consequences, including resource theft and infrastructure compromise.

As threat actors increasingly target cloud-native environments, education sector organizations and other cloud users must prioritize proactive security strategies. Regular audits, strong credential policies, and vigilant monitoring are no longer optional — they are essential components of a resilient cybersecurity posture.