Wednesday, November 6, 2024
HomeCyber AttackHackers Hijacking Microsoft SQL Servers to Compromise Azure Environments

Hackers Hijacking Microsoft SQL Servers to Compromise Azure Environments

Published on

Malware protection

Hackers frequently target Microsoft SQL servers because of their extensive use and possible weaknesses. 

These servers are a top target for hackers looking to make flat profits since these crooks exploit them to steal private information, start ransomware attacks, or obtain unauthorized access to systems.

Microsoft’s cybersecurity specialists recently discovered an unexpected lateral shift to a cloud environment via SQL Server. 

- Advertisement - SIEM as a Service

This approach was previously only observed in VMs and Kubernetes, not in Microsoft SQL Server.

Hijacking Microsoft SQL Servers

Exploiting a SQL injection flaw, attackers gained access and elevated permissions on an Azure VM’s SQL Server. They then tried to move laterally to other cloud resources using the server’s identity.

Cloud identities frequently have higher rights, including those in SQL Server. This attack highlights how crucial it is to secure them in order to safeguard SQL Server and cloud resources from unwanted access.

Several Microsoft Defenders first detected the reported attack path for SQL alerts, which allowed researchers to examine the cloud lateral movement approach and implement additional defenses without having access to the targeted application.

While no evidence of successful lateral movement to cloud resources was found, defenders must understand this SQL Server technique and take mitigation steps.

Attack chain
Attack chain (Source – Microsoft)

As organizations shift to the cloud, new cloud-based attack techniques emerge, notably in lateral movement from on-premises to the cloud.

Attackers use managed cloud identities, such as those in Azure, in cloud systems as a means of lateral mobility. These identities offer convenience, but security dangers are also present.

Known Technique

Although the attack used conventional SQL Server strategies, the lateral shift from SQL Server was new. Multiple queries were then used to collect host, database, and network information after the first SQL injection that granted access.

Here below, we have mentioned the information collected by the attackers:-

  • Databases
  • Table names and schema
  • Database version
  • Network configuration
  • Read permissions
  • Write permissions
  • Delete permissions

Researchers suggest the targeted application likely had elevated permissions, granting attackers similar access. They activated xp_cmdshell to run OS commands through SQL queries, which was initially disabled.

Attackers gained host access after activating xp_cmdshell and running OS commands. Through a scheduled job, they gathered information, downloaded encoded scripts, and preserved persistence. Additionally, they made an effort to get credentials by leaking registry keys.

Threat actors employed a unique data exfiltration method using ‘webhook.site,’ a publicly accessible service. This covert approach allowed them to transmit data discreetly. 

They also attempted to access the cloud identity of the SQL Server instance through IMDS to obtain the access key, leveraging a familiar technique in a distinct environment.

The request to IMDS identity’s endpoint retrieves the cloud identity’s security credentials. Though the attackers failed here, this technique can enable lateral movement. 

This method is an unknown use of cloud identities in SQL Server instances, highlighting the evolving landscape of cloud-based threats.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...