Hackers Hijacking Microsoft SQL Servers to Compromise Azure Environments

Hackers frequently target Microsoft SQL servers because of their extensive use and possible weaknesses. 

These servers are a top target for hackers looking to make flat profits since these crooks exploit them to steal private information, start ransomware attacks, or obtain unauthorized access to systems.

Microsoft’s cybersecurity specialists recently discovered an unexpected lateral shift to a cloud environment via SQL Server. 

This approach was previously only observed in VMs and Kubernetes, not in Microsoft SQL Server.

Hijacking Microsoft SQL Servers

Exploiting a SQL injection flaw, attackers gained access and elevated permissions on an Azure VM’s SQL Server. They then tried to move laterally to other cloud resources using the server’s identity.

Cloud identities frequently have higher rights, including those in SQL Server. This attack highlights how crucial it is to secure them in order to safeguard SQL Server and cloud resources from unwanted access.

Several Microsoft Defenders first detected the reported attack path for SQL alerts, which allowed researchers to examine the cloud lateral movement approach and implement additional defenses without having access to the targeted application.

While no evidence of successful lateral movement to cloud resources was found, defenders must understand this SQL Server technique and take mitigation steps.

Attack chain (Source – Microsoft)

As organizations shift to the cloud, new cloud-based attack techniques emerge, notably in lateral movement from on-premises to the cloud.

Attackers use managed cloud identities, such as those in Azure, in cloud systems as a means of lateral mobility. These identities offer convenience, but security dangers are also present.

Known Technique

Although the attack used conventional SQL Server strategies, the lateral shift from SQL Server was new. Multiple queries were then used to collect host, database, and network information after the first SQL injection that granted access.

Here below, we have mentioned the information collected by the attackers:-

  • Databases
  • Table names and schema
  • Database version
  • Network configuration
  • Read permissions
  • Write permissions
  • Delete permissions

Researchers suggest the targeted application likely had elevated permissions, granting attackers similar access. They activated xp_cmdshell to run OS commands through SQL queries, which was initially disabled.

Attackers gained host access after activating xp_cmdshell and running OS commands. Through a scheduled job, they gathered information, downloaded encoded scripts, and preserved persistence. Additionally, they made an effort to get credentials by leaking registry keys.

Threat actors employed a unique data exfiltration method using ‘webhook.site,’ a publicly accessible service. This covert approach allowed them to transmit data discreetly. 

They also attempted to access the cloud identity of the SQL Server instance through IMDS to obtain the access key, leveraging a familiar technique in a distinct environment.

The request to IMDS identity’s endpoint retrieves the cloud identity’s security credentials. Though the attackers failed here, this technique can enable lateral movement. 

This method is an unknown use of cloud identities in SQL Server instances, highlighting the evolving landscape of cloud-based threats.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago