In recent news, cybersecurity experts from Microsoft have identified a concerning trend of hackers targeting Microsoft SQL servers. These servers have become a popular target for hackers due to their widespread use and potential vulnerabilities. Hackers exploit these servers to carry out various malicious activities such as stealing private information, initiating ransomware attacks, or gaining unauthorized access to systems.
What sets this particular attack apart is the unexpected lateral shift to a cloud environment via Microsoft SQL Server. Previously, this approach was only observed in virtual machines (VMs) and Kubernetes, not in SQL Server. By exploiting a SQL injection flaw, attackers managed to gain access and elevate their permissions on an Azure VM’s SQL Server. From there, they attempted to move laterally to other cloud resources using the server’s identity.
Interestingly, cloud identities often have higher rights, including those in SQL Server. This attack highlights the importance of securing cloud identities to prevent unwanted access to SQL Server and cloud resources. Microsoft Defenders were able to detect the reported attack path for SQL alerts, allowing researchers to investigate the cloud lateral movement approach and implement additional defenses without accessing the targeted application. While no evidence of successful lateral movement to cloud resources was found, it is crucial for defenders to understand this SQL Server technique and take appropriate mitigation steps.
As organizations increasingly shift to the cloud, new cloud-based attack techniques are emerging, particularly in lateral movement from on-premises to the cloud. Attackers exploit managed cloud identities, such as those in Azure, as a means of lateral mobility. While these identities offer convenience, they also present security risks.
Although the attack utilized conventional SQL Server strategies, the lateral shift from SQL Server was a new development. After the initial SQL injection that granted access, attackers used multiple queries to collect information such as databases, table names, schema, database versions, network configurations, and various permissions. The targeted application likely had elevated permissions, enabling attackers to activate xp_cmdshell, which allowed them to run operating system commands through SQL queries.
After gaining host access, attackers gathered information, downloaded encoded scripts, and maintained persistence through a scheduled job. They also attempted to obtain credentials by leaking registry keys. Notably, threat actors employed a unique data exfiltration method using ‘webhook.site,’ a publicly accessible service, to transmit data discreetly.
Additionally, attackers tried to access the cloud identity of the SQL Server instance through IMDS (Instance Metadata Service) to obtain the access key. Despite their efforts, they were unsuccessful in this endeavor. However, this technique can potentially enable lateral movement and represents an unknown use of cloud identities in SQL Server instances, underscoring the evolving landscape of cloud-based threats.
In conclusion, the targeting of Microsoft SQL servers by hackers continues to be a significant concern for cybersecurity experts. The recent discovery of lateral movement to a cloud environment through SQL Server highlights the need for organizations to prioritize securing their cloud identities and implementing robust defenses against such attacks. As the cloud landscape evolves, defenders must stay vigilant and adapt their security measures accordingly.