Friday, November 1, 2024
HomeCyber AttackHackers Hijacking Microsoft SQL Servers to Compromise Azure Environments

Hackers Hijacking Microsoft SQL Servers to Compromise Azure Environments

Published on

Malware protection

Hackers frequently target Microsoft SQL servers because of their extensive use and possible weaknesses. 

These servers are a top target for hackers looking to make flat profits since these crooks exploit them to steal private information, start ransomware attacks, or obtain unauthorized access to systems.

Microsoft’s cybersecurity specialists recently discovered an unexpected lateral shift to a cloud environment via SQL Server. 

- Advertisement - SIEM as a Service

This approach was previously only observed in VMs and Kubernetes, not in Microsoft SQL Server.

Hijacking Microsoft SQL Servers

Exploiting a SQL injection flaw, attackers gained access and elevated permissions on an Azure VM’s SQL Server. They then tried to move laterally to other cloud resources using the server’s identity.

Cloud identities frequently have higher rights, including those in SQL Server. This attack highlights how crucial it is to secure them in order to safeguard SQL Server and cloud resources from unwanted access.

Several Microsoft Defenders first detected the reported attack path for SQL alerts, which allowed researchers to examine the cloud lateral movement approach and implement additional defenses without having access to the targeted application.

While no evidence of successful lateral movement to cloud resources was found, defenders must understand this SQL Server technique and take mitigation steps.

Attack chain
Attack chain (Source – Microsoft)

As organizations shift to the cloud, new cloud-based attack techniques emerge, notably in lateral movement from on-premises to the cloud.

Attackers use managed cloud identities, such as those in Azure, in cloud systems as a means of lateral mobility. These identities offer convenience, but security dangers are also present.

Known Technique

Although the attack used conventional SQL Server strategies, the lateral shift from SQL Server was new. Multiple queries were then used to collect host, database, and network information after the first SQL injection that granted access.

Here below, we have mentioned the information collected by the attackers:-

  • Databases
  • Table names and schema
  • Database version
  • Network configuration
  • Read permissions
  • Write permissions
  • Delete permissions

Researchers suggest the targeted application likely had elevated permissions, granting attackers similar access. They activated xp_cmdshell to run OS commands through SQL queries, which was initially disabled.

Attackers gained host access after activating xp_cmdshell and running OS commands. Through a scheduled job, they gathered information, downloaded encoded scripts, and preserved persistence. Additionally, they made an effort to get credentials by leaking registry keys.

Threat actors employed a unique data exfiltration method using ‘webhook.site,’ a publicly accessible service. This covert approach allowed them to transmit data discreetly. 

They also attempted to access the cloud identity of the SQL Server instance through IMDS to obtain the access key, leveraging a familiar technique in a distinct environment.

The request to IMDS identity’s endpoint retrieves the cloud identity’s security credentials. Though the attackers failed here, this technique can enable lateral movement. 

This method is an unknown use of cloud identities in SQL Server instances, highlighting the evolving landscape of cloud-based threats.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...