![[The AI Show Episode 143]: ChatGPT Revenue Surge, New AGI Timelines, Amazon’s AI Agent, Claude for Education, Model Context Protocol & LLMs Pass the Turing Test](https://www.marketingaiinstitute.com/hubfs/ep%20143%20cover.png)
![[DEALS] Koofr Cloud Storage: Lifetime Subscription (1TB) (80% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
_Muhammad_R._Fakhrurrozi_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_NicoElNino_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![M4 MacBook Air Drops to Just $849 - Act Fast! [Lowest Price Ever]](https://www.iclarified.com/images/news/97140/97140/97140-640.jpg)
![Apple Smart Glasses Not Close to Being Ready as Meta Targets 2025 [Gurman]](https://www.iclarified.com/images/news/97139/97139/97139-640.jpg)
![iPadOS 19 May Introduce Menu Bar, iOS 19 to Support External Displays [Rumor]](https://www.iclarified.com/images/news/97137/97137/97137-640.jpg)
Storm-1977 Hackers Compromised 200+ Crypto Mining Containers Using AzureChecker CLI Tool
A sophisticated threat actor group, tracked as Storm-1977, has successfully compromised more than 200 containers and repurposed them for cryptocurrency mining operations, using a custom Command Line Interface (CLI) tool known as AzureChecker. The attacks primarily targeted cloud tenants in the education sector through password spray techniques, exploiting weak credential security and authentication mechanisms to […] The post Storm-1977 Hackers Compromised 200+ Crypto Mining Containers Using AzureChecker CLI Tool appeared first on Cyber Security News.
A sophisticated threat actor group, tracked as Storm-1977, has successfully compromised more than 200 containers and repurposed them for cryptocurrency mining operations, using a custom Command Line Interface (CLI) tool known as AzureChecker.
The attacks primarily targeted cloud tenants in the education sector through password spray techniques, exploiting weak credential security and authentication mechanisms to gain initial access to cloud environments.
The attackers employed a methodical approach, first identifying vulnerable targets through reconnaissance, then utilizing the AzureChecker.exe tool to automate and orchestrate large-scale password spray attacks against cloud environments.
Once successful authentication was achieved, the threat actors quickly moved to establish persistence by creating resource groups within the compromised subscriptions, ultimately deploying hundreds of containers configured for cryptomining activities.
Microsoft Threat Intelligence researchers identified this campaign during routine threat monitoring operations, observing the unique operational patterns that distinguish Storm-1977 from other cryptomining threat actors.
Analysis of the attack chain revealed sophisticated techniques designed to evade detection while maximizing resource utilization of compromised environments.
Upon gaining access to compromised subscriptions, the attackers demonstrated an advanced understanding of cloud infrastructure, particularly containerized environments, by rapidly deploying more than 200 containers configured specifically for cryptomining operations.
The scale and efficiency of deployment suggest a well-developed operational framework designed to quickly monetize compromised resources.
Infection Mechanism and Technical Analysis
The primary infection vector utilized by Storm-1977 revolves around the AzureChecker.exe CLI tool, which forms the cornerstone of their password spray operations.
This tool was observed connecting to a command and control server at sac-auth[.]nodefunction[.]vip, from which it downloaded AES-encrypted data containing targeted account information.
.webp)
The tool’s functionality includes the ability to process an external file named “accounts.txt” containing username and password combinations for authentication attempts.
The infection sequence begins when the AzureChecker tool decrypts the downloaded target list and systematically tests credentials against multiple cloud tenants.
A typical execution of the tool might resemble:-
AzureChecker.exe -i accounts.txt -o results.json -t 30This command instructs the tool to use credentials from the accounts.txt file, output successful authentications to results.json, and utilize a 30-second timeout between attempts to avoid triggering security alerts based on authentication velocity.
Once valid credentials are obtained, Storm-1977 operators leverage guest accounts to create new resource groups within the compromised subscription.
The attackers demonstrated sophisticated knowledge of Kubernetes environments, creating containers with configurations specifically designed to maximize cryptomining efficiency while minimizing the chance of detection through normal monitoring channels.
Here the attacks against containerized environments can originate from multiple vectors, with compromised accounts representing one of the primary attack surfaces exploited by Storm-1977.
The success of these operations highlights the critical importance of implementing robust identity security controls, particularly in educational environments where resource constraints may limit security monitoring capabilities.
Organizations can protect themselves against similar attacks by implementing multi-factor authentication, enforcing the principle of least privilege for all accounts, monitoring for suspicious API calls, and deploying container-specific security solutions capable of detecting anomalous activities within Kubernetes environments.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Storm-1977 Hackers Compromised 200+ Crypto Mining Containers Using AzureChecker CLI Tool appeared first on Cyber Security News.
