Post

Storm-1977 Launches Password Spraying Attacks on Education Sector, Microsoft Issues Warning

Posted
By Vitus White
1 min read
Storm-1977 Launches Password Spraying Attacks on Education Sector, Microsoft Issues Warning

TL;DR

Microsoft warns of Storm-1977 targeting the education sector with password spraying attacks. The threat actor uses AzureChecker.exe to breach cloud tenants, leading to cryptomining activities. Key risks include compromised credentials, misconfigured images, and unauthorized traffic.

Storm-1977 Targets Education Sector with Password Spraying Attacks

Microsoft has issued a warning about the threat actor Storm-1977, which has been launching password spraying attacks against cloud tenants in the education sector over the past year. The attacks involve the use of AzureChecker.exe, a Command Line Interface (CLI) tool that connects to sac-auth[.]nodefunction[.]vip to download AES-encrypted data. Once decrypted, this data reveals password spray targets. The tool also accepts an accounts.txt file containing username and password pairs, using both datasets to validate credentials against target tenants.

Successful Breach and Cryptomining Activities

In one successful breach, the threat actor utilized a guest account to create a resource group and over 200 containers for cryptomining activities. This highlights the seriousness of the threat and the potential for significant damage1.

Key Risks and Threats to Containerized Assets

Microsoft emphasizes that containerized assets, such as Kubernetes clusters, workloads, and registries, face numerous risks. Organizations must secure containers, code, dependencies, CI/CD pipelines, and runtime environments to mitigate these threats. The primary risks include:

  • Compromised Accounts: Leaked credentials can lead to unauthorized access.
  • Vulnerable Images: Misconfigured or vulnerable images can be exploited.
  • Environment Misconfigurations: Exposed APIs due to misconfigurations.
  • Application-Level Attacks: Such as SQL injection and Cross-Site Scripting (XSS).
  • Node-Level Attacks: Including pod escapes.
  • Unauthorized Traffic: Insecure networking can allow unauthorized traffic.

Securing Containerized Environments

To protect against these threats, organizations should focus on securing all aspects of their containerized environments. This includes implementing robust security measures for containers, code, dependencies, CI/CD pipelines, and runtime environments. Regular audits and updates can help mitigate the risks associated with vulnerable or misconfigured images and environment misconfigurations.

Additional Resources

For further insights, check:

References

  1. (April 23, 2025). “Understanding the threat landscape for Kubernetes and containerized assets”. Microsoft Security Blog. Retrieved April 27, 2025. ↩︎

Cybersecurity & Data Protection, Malware
cybersecurity threat intelligence password spraying
This post is licensed under CC BY 4.0 by the author.