Password spray attack leads to containers being used for cryptomining

Type

Campaign

Actors

Storm-1977

Pub. date

April 23, 2025

Initial access

Password attack

Impact

Resource hijacking

Observed techniques

Password spraying

Observed tools

AzureChecker

Targeted technologies

Kubernetes

References

https://www.microsoft.com/en-us/security/blog/2025/04/23/understanding-the-threat-landscape-for-kubernetes-and-containerized-assets/

Status

Finalized

Last edited

May 19, 2025 10:49 AM

In the past year Microsoft observed AzureChecker(Storm-1977) launching password spray attacks, against cloud tenants in the education sector. The actor used AzureChecker.exe (CLI tool that is being used by a wide range of actors)

The threat actor downloaded a hidden (encrypted) file from a remote server (sac-auth[.]nodefunction[.]vip). Once unlocked, this file showed a list of accounts they wanted to try breaking into. They also used another file called accounts.txt that had many username and password combinations.
The tool combined both sets of data and started trying these logins one by one (password spray attack).
Microsoft observed one successful attack where the hacker accessed a cloud account via a guest user, created a resource group with over 200 containers, and used them for cryptomining.