Storm-1977 Targets Education Sector with Password Spraying

Microsoft has raised an alert regarding the activities of Storm-1977, a threat actor targeting cloud environments in the education sector, Security Affairs reports. Over the past year, researchers observed Storm-1977 using a tool called AzureChecker.exe to launch password spray attacks. This tool connected to a remote domain to download encrypted data, which, once decrypted, revealed lists of usernames and passwords. Attackers then attempted to validate these credentials against multiple cloud tenants, aiming to gain unauthorized access.

In one incident, Microsoft identified a successful breach where a guest account was used to create a resource group and deploy more than 200 containers for cryptomining activities. The use of cloud resources for illicit purposes like cryptomining remains a common tactic among attackers seeking to profit from compromised infrastructure without immediate detection.

The security risks extend beyond account compromise. Microsoft highlights that containerized environments—such as Kubernetes clusters, workloads, and registries—introduce multiple vulnerabilities if not properly secured. Threats include vulnerable or misconfigured images, API exposures, environment misconfigurations, application-level attacks like SQL injection, and node-level attacks such as pod escapes.

Organizations operating in cloud environments, particularly in education, are encouraged to strengthen their security posture. This includes securing code, dependencies, container images, CI/CD pipelines, and runtime configurations to limit opportunities for attackers to exploit weaknesses and escalate their access.