Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers

Apr 27, 2025Ravie LakshmananKubernetes / Cloud Security

Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year.

“The attack involves the use of AzureChecker.exe, a Command Line Interface (CLI) tool that is being used by a wide range of threat actors,” the Microsoft Threat Intelligence team said in an analysis.

The tech giant noted that it observed the binary to connect to an external server named “sac-auth.nodefunction[.]vip” to retrieve an AES-encrypted data that contains a list of password spray targets.

The tool also accepts as input a text file called “accounts.txt” that includes the username and password combinations to be used to carry out the password spray attack.

“The threat actor then used the information from both files and posted the credentials to the target tenants for validation,” Microsoft said.

In one successful instance of account compromise observed by Redmond, the threat actor is said to have taken advantage of a guest account to create a resource group within the compromised subscription.

The attackers then created more than 200 containers within the resource group with the ultimate goal of conducting illicit cryptocurrency mining.

Microsoft said containerized assets, such as Kubernetes clusters, container registries, and images, are liable to various kinds of attacks, including using –

• Compromised cloud credentials to facilitate cluster takeover
• Container images with vulnerabilities and misconfigurations to carry out malicious actions
• Misconfigured management interfaces to gain access to the Kubernetes API and deploy malicious containers or hijack the entire cluster
• Nodes that run on vulnerable code or software

To mitigate such malicious activities, organizations are advised to secure container deployment and runtime, monitor unusual Kubernetes API requests, configure policies to prevent containers from being deployed from untrusted registries and ensure that the images being deployed in containers are free from vulnerabilities.