Microsoft has described a recent campaign in which hackers made an unsuccessful attempt to use a SQL Server server as a lateral move to a cloud environment.
According to a report released on Tuesday by security experts Sunders Bruskin, Hagai Ran Kestenberg, and Fady Nasereldeen, “the attackers initially exploited a SQL injection vulnerability in an application within the target’s environment.”
This gave the attacker access to a Microsoft SQL Server instance running on an Azure Virtual Machine (VM) and gave him or her elevated permissions.
The threat actors then attempted to access further cloud resources by abusing the server’s cloud identity, which may have elevated permissions to carry out a variety of malicious acts in the cloud to which the identity has access, by leveraging the increased permissions.
An SQL injection against the database server serves as the launchpad for the attack chain, enabling the adversary to conduct queries to learn more about the host, databases, and network configuration.
The application targeted by the SQL injection vulnerability in the detected incursions is thought to have had elevated permissions, enabling the xp_cmdshell option to run operating system commands to go to the next stage.
This involved gathering information, obtaining PowerShell scripts and executables, and establishing persistence by setting up a scheduled task to launch a backdoor script.
Utilizing the publicly available tool webhook[.]site, data exfiltration is accomplished in an effort to remain undetected because outbound traffic to the service is considered legitimate and is not likely to be detected.
According to the researchers, “the attackers tried using the SQL Server instance’s cloud identity by accessing the [instance metadata service] and obtaining the cloud identity access key.” “The identity token for the cloud identity is returned by the request to the IMDS identity’s endpoint.”
Although it ended in failure owing to an unidentified problem, the operation’s ultimate purpose appears to have been to misuse the token to carry out different actions on cloud resources, including lateral movement across the cloud environment.
The development highlights the increasing sophistication of cloud-based attack approaches, with hostile actors always searching for highly privileged processes, accounts, controlled identities, and database connections to engage in more illegal actions.
“This is a technique we are familiar with in other cloud services such as VMs and Kubernetes cluster but haven’t seen before in SQL Server instances,” the researchers said in their analysis.
“SQL Server instances and cloud resources may be subject to similar threats if cloud identities are not adequately secured.