Microsoft has revealed that Storm-1977 has been carrying out password spray attacks on cloud tenants over the past year, so that threat actors it tracks will track them.
“Attacks include using Azurechecker.exe, a command line interface (CLI) tool used by a wide range of threat actors,” the Microsoft Threat Intelligence team said in an analysis.
Tech Giant noted that “we observed a binary connecting to an external server named sac-auth.nodefunction.[.]VIP “Get AES encrypted data containing a list of password spray targets.
The tool accepts as input a text file called “accounts.txt” containing the username and password combination used to perform a password spray attack.
“The threat actors then used the information from both files and posted their credentials to the target tenant for verification,” Microsoft said.
In one successful instance of the account compromise Redmond observed, the threat actor is said to have used guest accounts to create resource groups within the compromised subscription.
The attackers then created over 200 containers within the resource group, with the ultimate goal of carrying out illegal cryptocurrency mining.
Microsoft said containerized assets such as Kubernetes clusters, container registries and images are responsible for various types of attacks, including usage.
Breaked cloud credentials promote cluster takeover container images with vulnerabilities and misconceptions to perform malicious actions, run mismanagement interfaces, access Kubernetes APIs, hijack entire cluster nodes running with vulnerable code or software, deploy or hijack malicious containers.
To mitigate such malicious activity, organizations recommend ensuring container deployment and runtime, monitoring anomalous Kubernetes API requests, configuring policies to prevent deployment from untrusted registry, and verifying that images deployed in containers are free from vulnerabilities.
Source link
