With a billion stolen passwords up for sale on dark web criminal marketplaces, and infostealer malware attacks continuing to add to that number, it’s no wonder that cybercriminals are turning to automatic password hacking machines in their nefarious campaigns. I have previously reported on password spray and pray attacks against Windows users without two-factor authentication, now Microsoft has issued a warning of a new password spraying attack by a hacking group identified only as Storm-1977 that is targeting cloud tenants.
Beware This Password Spraying Attack, Microsoft Warns
The Microsoft Threat Intelligence team has published a new warning after observing hackers taking particular advantage of unsecured workload identities in order to gain access to containerized environments. With Microsoft research showing that 51% of such workload identities being completely inactive over the past year, it’s no wonder that threat actors are exploiting this attack surface. “As the adoption of containers-as-a-service among organizations rises,” the report said, “Microsoft Threat Intelligence continues to monitor the unique security threats that affect containerized environments.” One of these is the password spraying attack, specifically targeting cloud tenants in the education sector, that has now been pinned on the Storm-1977 threat group.
The password spraying attack exploited a command line interface tool called AzureChecker to “download AES-encrypted data that when decrypted reveals the list of password spray targets,” the report said. It then, to add salt to the now open wound, accepted an accounts.txt file containing username and password combinations used for the attack, as input. “The threat actor then used the information from both files and posted the credentials to the target tenants for validation,” Microsoft explained.
The successful attack enabled the Storm-1977 hackers to then leverage a guest account in order to create a compromised subscription resource group and, ultimately, more than 200 containers that were used for cryptomining.
Mitigating The Password Spraying Container Attack Threat
Microsoft said that, in light of attackers such as Storm-1977
increasingly using compromised identities for initial access as well as long-term persistence within an environment, the following mitigations are recommended:
- Use strong authentication when exposing sensitive interfaces to the internet.
- Use strong authentication methods for the Kubernetes API to help prevent attackers from gaining access to the cluster even if valid credentials such as kubeconfig are obtained.
- Avoid using the read-only endpoint of Kubelet on port 10255, which doesn’t require authentication.
- Configure the Kubernetes role-based access controls for each user and service account to have only those permissions that are absolutely necessary.
I have reached out to Microsoft for further information regarding the Storm-1977 password spraying attack campaign.
