Storm-1977 Hackers Compromised 200+ Crypto Mining Containers Using AzureChecker CLI Tool

Organizations can protect themselves against similar attacks by implementing multi-factor authentication, enforcing the principle of least privilege for all accounts, monitoring for suspicious API calls, and deploying container-specific security solutions capable of detecting anomalous activities within Kubernetes environments. A sophisticated threat actor group, tracked as Storm-1977, has successfully compromised more than 200 containers and repurposed them for cryptocurrency mining operations, using a custom Command Line Interface (CLI) tool known as AzureChecker. The attacks primarily targeted cloud tenants in the education sector through password spray techniques, exploiting weak credential security and authentication mechanisms to gain initial access to cloud environments. Upon gaining access to compromised subscriptions, the attackers demonstrated an advanced understanding of cloud infrastructure, particularly containerized environments, by rapidly deploying more than 200 containers configured specifically for cryptomining operations. Once successful authentication was achieved, the threat actors quickly moved to establish persistence by creating resource groups within the compromised subscriptions, ultimately deploying hundreds of containers configured for cryptomining activities. This command instructs the tool to use credentials from the accounts.txt file, output successful authentications to results.json, and utilize a 30-second timeout between attempts to avoid triggering security alerts based on authentication velocity. The attackers employed a methodical approach, first identifying vulnerable targets through reconnaissance, then utilizing the AzureChecker.exe tool to automate and orchestrate large-scale password spray attacks against cloud environments. The attackers demonstrated sophisticated knowledge of Kubernetes environments, creating containers with configurations specifically designed to maximize cryptomining efficiency while minimizing the chance of detection through normal monitoring channels. Here the attacks against containerized environments can originate from multiple vectors, with compromised accounts representing one of the primary attack surfaces exploited by Storm-1977. The success of these operations highlights the critical importance of implementing robust identity security controls, particularly in educational environments where resource constraints may limit security monitoring capabilities. Analysis of the attack chain revealed sophisticated techniques designed to evade detection while maximizing resource utilization of compromised environments. Microsoft Threat Intelligence researchers identified this campaign during routine threat monitoring operations, observing the unique operational patterns that distinguish Storm-1977 from other cryptomining threat actors. The primary infection vector utilized by Storm-1977 revolves around the AzureChecker.exe CLI tool, which forms the cornerstone of their password spray operations. The infection sequence begins when the AzureChecker tool decrypts the downloaded target list and systematically tests credentials against multiple cloud tenants. Once valid credentials are obtained, Storm-1977 operators leverage guest accounts to create new resource groups within the compromised subscription. The tool’s functionality includes the ability to process an external file named “accounts.txt” containing username and password combinations for authentication attempts. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 28 Apr 2025 08:35:00 +0000


Cyber News related to Storm-1977 Hackers Compromised 200+ Crypto Mining Containers Using AzureChecker CLI Tool

Storm-1977 Hackers Compromised 200+ Crypto Mining Containers Using AzureChecker CLI Tool - Organizations can protect themselves against similar attacks by implementing multi-factor authentication, enforcing the principle of least privilege for all accounts, monitoring for suspicious API calls, and deploying container-specific security ...
1 month ago Cybersecuritynews.com
CVE-2021-47100 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
New Technology for an Old Industry - A few weeks ago our mining experts sat down with Danny Vicente from Cisco's Coffee and Conversations to discuss what is taking place in the mining industry. In this episode Roland Plett and Bruce Frederick talk about how mining has evolved from the ...
1 year ago Feedpress.me
What Is Container Security? Definition, Benefits, and Risks - Container security is a vital factor for all companies that use containers for running their software, as an alternative to using virtual machines. Container security is a total of policies and tools that are applied to maintain a container running ...
2 years ago Heimdalsecurity.com
Threat Actors Taking Advantage of Unsecured Kubernetes Clusters for Cryptocurrency Mining - Cyber Security News - In a troubling development for cybersecurity professionals, threat actors are increasingly targeting unsecured Kubernetes clusters to deploy cryptocurrency mining operations, leveraging the computational resources of victim organizations without ...
1 month ago Cybersecuritynews.com
New Research Delves Into the World of Malicious Cryptocurrency Mining - As cryptocurrency prices have soared in recent years, malicious cryptocurrency miners have increasingly targeted vulnerable computer systems with malicious crypto-mining software in search of profits. In a new research paper, security researchers at ...
2 years ago Thehackernews.com
10 reasons why securing software supply chains needs to start with containers - Containers and Kubernetes are table stakes for multi-cloud app development, and they're also among the least protected of any areas of software supply chains. Kubernetes commands 92% of the container orchestration platform market, despite DevOps ...
1 year ago Venturebeat.com
Enabling Peer Pods on IBM Z and LinuxONE with Red Hat OpenShift sandboxed containers - Red Hat OpenShift sandboxed containers version 1.5.0, introduces Peer Pods to IBM Z and LinuxONE. This update is the product of a cooperation between IBM and Red Hat, and is an important step in improving sandboxed containers, paving the way for ...
1 year ago Redhat.com
CVE-2024-35292 - A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 (6ES7288-1CR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU CR60 (6ES7288-1CR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA0) (All versions), SIMATIC ...
11 months ago Tenable.com
CVE-2024-43647 - A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 (6ES7288-1CR40-0AA0) (All versions), SIMATIC S7-200 SMART CPU CR60 (6ES7288-1CR60-0AA0) (All versions), SIMATIC S7-200 SMART CPU SR20 (6ES7288-1SR20-0AA0) (All versions), SIMATIC ...
8 months ago
Microsoft Targets Threat Group Behind Fake Accounts - Microsoft seized parts of the infrastructure of a prolific Vietnam-based threat group that the IT giant said was responsible for creating as many as 750 million fraudulent Microsoft accounts that were then sold to other bad actors and used to launch ...
1 year ago Securityboulevard.com APT29 Scattered Spider
Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus - In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its ...
1 year ago Darkreading.com Lazarus Group
CVE-2019-13945 - A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family < V4.x (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family V4.x (incl. SIPLUS variants) (All ...
4 years ago
Financially motivated threat actors misusing App Installer - Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme to distribute malware. In ...
1 year ago Microsoft.com Black Basta
Rootkit Turns Kubernetes from Orchestration to Subversion - As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - ...
1 year ago Darkreading.com
4500+ WordPress Sites Hacked with a Monero Cryptojacking Campaign - Security researchers recently reported the discovery of a massive Monero hacking campaign targeted at WordPress sites. According to reports, more than 4500 WordPress sites were compromised with a malicious cryptocurrency-mining campaign. The hackers ...
2 years ago Thehackernews.com
CVE-2021-29504 - WP-CLI is the command-line interface for WordPress. An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate ...
3 years ago
North Korean Hackers Stole $600m in Crypto in 2023 - North Korean hackers stole at least $600m in cryptocurrency in 2023, around a third of the total value of such heists, according to blockchain intelligence firm TRM. Despite the eye-watering sum, this figure represents a 30% reduction on ...
1 year ago Infosecurity-magazine.com
A Handbook for Managing Containers on Amazon Web Services - Container management is a way to help you create, govern, and maintain your containers. There are tools and services available that can automate the creation, deployment, maintenance, scaling, and monitoring of application or system containers. In ...
2 years ago Trendmicro.com
Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning - Our structured query language (SQL) injection detection model detected triggers containing unusual patterns that did not correlate to any known open-source or commercial automated vulnerability scanning tool. We have tested all malicious payloads ...
7 months ago Unit42.paloaltonetworks.com
The Week in Ransomware - January 20th, 2023 Crypto Exchanges Under Attack - The week of January 20th, 2023 brought yet another wave of ransomware attacks targeting crypto exchanges. Crypto exchanges all around the world have been hit by a barrage of sophisticated and well-planned ransomware campaigns. From high-profile ...
2 years ago Bleepingcomputer.com
Microsoft Disabled App Installer Abused by Hackers - Threat actors, particularly those with financial motivations, have been observed spreading malware via the ms-appinstaller URI scheme. As a result of this activity, Microsoft has disabled the ms-appinstaller protocol handler by default. The ...
1 year ago Cybersecuritynews.com Carbanak
Wordfence CLI 2.1.0 Adds Email Capability and Unattended Configuration - We've just released Wordfence CLI 2.1.0 which includes two exciting new capabilities. Wordfence CLI can now email you a summary of scan results for both the malware scan and the vulnerability scan. These emails can be sent directly, or via an SMTP ...
1 year ago Wordfence.com
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
2 years ago Therecord.media
Microsoft Disrupts Cybercrime Service That Created 750 Million Fraudulent Accounts - Microsoft on Wednesday announced the disruption of Storm-1152, a cybercrime-as-a-service ecosystem that created 750 million fraudulent Microsoft accounts in support of phishing, identity theft, and other schemes. The CaaS is believed to have made ...
1 year ago Securityweek.com Scattered Spider