Hackers Hijacking Microsoft SQL Servers to Compromise Azure Environments

Hackers frequently target Microsoft SQL servers because of their extensive use and possible weaknesses. 

These servers are a top target for hackers looking to make flat profits since these crooks exploit them to steal private information, start ransomware attacks, or obtain unauthorized access to systems.

Microsoft’s cybersecurity specialists recently discovered an unexpected lateral shift to a cloud environment via SQL Server. 

This approach was previously only observed in VMs and Kubernetes, not in Microsoft SQL Server.

Hijacking Microsoft SQL Servers

Exploiting a SQL injection flaw, attackers gained access and elevated permissions on an Azure VM’s SQL Server. They then tried to move laterally to other cloud resources using the server’s identity.

Cloud identities frequently have higher rights, including those in SQL Server. This attack highlights how crucial it is to secure them in order to safeguard SQL Server and cloud resources from unwanted access.

Several Microsoft Defenders first detected the reported attack path for SQL alerts, which allowed researchers to examine the cloud lateral movement approach and implement additional defenses without having access to the targeted application.

While no evidence of successful lateral movement to cloud resources was found, defenders must understand this SQL Server technique and take mitigation steps.

Attack chain (Source – Microsoft)

As organizations shift to the cloud, new cloud-based attack techniques emerge, notably in lateral movement from on-premises to the cloud.

Attackers use managed cloud identities, such as those in Azure, in cloud systems as a means of lateral mobility. These identities offer convenience, but security dangers are also present.

Known Technique

Although the attack used conventional SQL Server strategies, the lateral shift from SQL Server was new. Multiple queries were then used to collect host, database, and network information after the first SQL injection that granted access.

Here below, we have mentioned the information collected by the attackers:-

  • Databases
  • Table names and schema
  • Database version
  • Network configuration
  • Read permissions
  • Write permissions
  • Delete permissions

Researchers suggest the targeted application likely had elevated permissions, granting attackers similar access. They activated xp_cmdshell to run OS commands through SQL queries, which was initially disabled.

Attackers gained host access after activating xp_cmdshell and running OS commands. Through a scheduled job, they gathered information, downloaded encoded scripts, and preserved persistence. Additionally, they made an effort to get credentials by leaking registry keys.

Threat actors employed a unique data exfiltration method using ‘webhook.site,’ a publicly accessible service. This covert approach allowed them to transmit data discreetly. 

They also attempted to access the cloud identity of the SQL Server instance through IMDS to obtain the access key, leveraging a familiar technique in a distinct environment.

The request to IMDS identity’s endpoint retrieves the cloud identity’s security credentials. Though the attackers failed here, this technique can enable lateral movement. 

This method is an unknown use of cloud identities in SQL Server instances, highlighting the evolving landscape of cloud-based threats.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago