Microsoft has issued a critical security warning regarding a cyber threat group identified as Storm-1977, which has been actively targeting cloud tenants—particularly within the education sector—through password spraying attacks over the past year.
What is AzureChecker and How Is It Being Exploited?
According to Microsoft Threat Intelligence, the attackers have weaponized a command-line utility known as AzureChecker.exe, a tool that is reportedly being abused by multiple threat actors to compromise cloud accounts.
The attack chain includes:
1. Connecting to an external command-and-control (C2) server (sac-auth.nodefunction[.]vip) to retrieve AES-encrypted data containing a list of potential targets.2. Using a file named
accounts.txt with username and password combinations to execute automated password spraying.3. Validating credentials across cloud tenant environments to gain unauthorized access.
Crypto Mining Operation: Over 200 Containers Deployed
In one confirmed security breach, the attacker leveraged a compromised guest account to:
* Create a new resource group within the affected cloud subscription.
* Deploy over 200 containers for the purpose of illicit cryptocurrency mining.
These containers were part of a broader exploitation strategy targeting Kubernetes and other containerized environments, exploiting weak configurations and cloud credentials.
Cloud Security Risks Identified by Microsoft
The report highlights several key vulnerabilities within container environments:
1. Stolen cloud credentials leading to complete cluster takeovers.2. Malicious or vulnerable container images used to inject or execute harmful code.
3. Unsecured Kubernetes management interfaces, providing unauthorized access to APIs.
4. Outdated or unpatched node software exploited for unauthorized access.
How to Defend Against These Attacks: Best Practices
To reduce exposure and strengthen defenses against threats like Storm-1977, Microsoft recommends the following cloud security best practices:
✅ Secure container deployments and monitor runtime behavior
✅ Log and monitor unusual Kubernetes API requests
✅ Enforce strict policies to block images from untrusted registries
✅ Regularly scan container images for vulnerabilities and misconfigurations
✅ Keep all container runtime software and nodes patched and up to date
Conclusion
The Storm-1977 attack campaign is a stark reminder of the rising threat of cloud-based cryptojacking and the importance of robust container security practices. Organizations—especially in the education sector—must prioritize cloud workload protection, enforce least privilege access, and monitor for unusual activity across their cloud infrastructure.