Microsoft has revealed details of a cyber attack campaign in which threat actors attempted, albeit unsuccessfully, to infiltrate a cloud environment through an SQL Server instance.
In a recent report, Microsoft has revealed details of a cyber attack campaign in which threat actors attempted, albeit unsuccessfully, to infiltrate a cloud environment through an SQL Server instance.
According to security researchers Sunders Bruskin, Hagai Ran Kestenberg, and Fady Nasereldeen, the attackers initiated the breach by exploiting a SQL injection vulnerability within an application in the target environment. This initial exploit granted the attacker access and elevated permissions on a Microsoft SQL Server instance deployed on an Azure Virtual Machine (VM).
Subsequently, the threat actors sought to move laterally to additional cloud resources by exploiting the server’s cloud identity, which potentially had elevated permissions to carry out various malicious actions in the cloud environment.
However, Microsoft confirmed that there is no evidence indicating the attackers successfully progressed to the cloud resources using this technique.
The attack chain began with an SQL injection against the database server, enabling the adversary to run queries to gather information about the host, databases, and network configuration. In this case, it’s suspected that the targeted application had elevated permissions, allowing the attackers to enable the xp_cmdshell option, granting them the ability to execute operating system commands.
This phase of the attack involved reconnaissance, downloading of executables and PowerShell scripts, and establishing persistence through a scheduled task to initiate a backdoor script.
To exfiltrate data, the attackers leveraged a publicly accessible tool named webhook[.]site. This choice helped them evade detection, as outgoing traffic to the service appeared legitimate and less likely to be flagged.
The attackers attempted to use the cloud identity of the SQL Server instance by accessing the instance metadata service and obtaining the cloud identity access key. The identity token retrieved from the request to IMDS identity’s endpoint provided the necessary security credentials for the cloud identity.
The primary objective of the operation seemed to be the abuse of the token to carry out various operations on cloud resources, including lateral movement across the cloud environment. However, due to an unspecified error, the operation ultimately failed.
This incident highlights the increasing sophistication of cloud-based attack techniques, with threat actors actively seeking out over-privileged processes, accounts, managed identities, and database connections to conduct further malicious activities.
The researchers emphasized the importance of properly securing cloud identities, as failure to do so can expose SQL Server instances and associated cloud resources to similar risks. This particular method offers attackers an opportunity to inflict greater impact not only on SQL Server instances but also on connected cloud resources.