Cloud Chaos: How a Sophisticated Threat Actor is Exploiting Education Sector Vulnerabilities

A sophisticated cyber threat actor known as Storm-1977 has been identified as the culprit behind a series of high-profile attacks on cloud tenants in the education sector. According to Microsoft, the group has been using a tool called AzureChecker.exe to conduct password spraying attacks over the past year.

AzureChecker.exe is a Command Line Interface (CLI) tool that is being used by a wide range of threat actors. The tool connects to an external server to retrieve an AES-encrypted data file containing a list of password spray targets. It also accepts a text file called “accounts.txt” containing username and password combinations to be used in the attack.

Once the credentials are posted to the target tenants for validation, the threat actor takes advantage of a guest account to create a resource group within the compromised subscription. In one successful instance, the attackers created over 200 containers within the resource group, ultimately using them to conduct illicit cryptocurrency mining.

Mitigating the Threat

To prevent such malicious activities, organizations are advised to secure container deployment and runtime, monitor unusual Kubernetes API requests, and configure policies to prevent containers from being deployed from untrusted registries. Ensuring that the images being deployed in containers are free from vulnerabilities is also crucial.

Containerized assets, such as Kubernetes clusters, container registries, and images, are increasingly being targeted by threat actors. These attacks can have devastating consequences, making it essential for organizations to take proactive measures to secure their containerized environments.

To stay ahead of the threat, organizations must prioritize security and compliance when planning their cloud migration. A comprehensive guide is available for download, offering expert advice on how to plan a secure cloud migration.

Training for the Future

As the threat landscape continues to evolve, it is essential for cybersecurity professionals to stay up-to-date with the latest trends, risks, and security strategies. SANSFIRE 2025, a leading cybersecurity conference, will equip attendees with the skills and knowledge needed to defend against evolving attacks.