Cloud Threat Landscape
  • Incidents
  • Actors
  • Techniques
  • Defenses
  • Tools
  • Targeted Technologies
  • Posters & Newspapers
  • About
  • RSS
  • STIX
  • Back to wiz.io

Made with 💙 by Wiz

Last Updated: April 3, 2025

Cloud Threat Landscape
/Incidents
Incidents
/
Password spray attack leads to containers being used for cryptomining

Password spray attack leads to containers being used for cryptomining

Type
Campaign
Actors
Storm-1977
Pub. date
April 23, 2025
Initial access
Password attack
Impact
Resource hijacking
Observed techniques
Password spraying
Observed tools
AzureChecker
Targeted technologies
Kubernetes
References
https://www.microsoft.com/en-us/security/blog/2025/04/23/understanding-the-threat-landscape-for-kubernetes-and-containerized-assets/
Status
Finalized
Last edited
May 19, 2025 10:49 AM

In the past year Microsoft observed AzureChecker(Storm-1977) launching password spray attacks, against cloud tenants in the education sector. The actor used AzureChecker.exe (CLI tool that is being used by a wide range of actors)

  • The threat actor downloaded a hidden (encrypted) file from a remote server (sac-auth[.]nodefunction[.]vip). Once unlocked, this file showed a list of accounts they wanted to try breaking into. They also used another file called accounts.txt that had many username and password combinations.
  • The tool combined both sets of data and started trying these logins one by one (password spray attack).
  • Microsoft observed one successful attack where the hacker accessed a cloud account via a guest user, created a resource group with over 200 containers, and used them for cryptomining.