Image: Philipp Katzenberger (unsplash)
Recent observations highlight hackers attempting to penetrate cloud environments via vulnerable Microsoft SQL Servers. Microsoft’s security experts have noted that such lateral movement techniques are not new, having been employed against services like VMs and Kubernetes clusters in the past. But the utilization of SQL Servers for this kind of intrusion is a novel approach.
Attack Overview The malicious activities start by exploiting an SQL injection flaw within an application residing in the targeted environment. This maneuver grants the malicious actors entrance to the SQL Server instance hosted on the Azure Virtual Machine. Once inside, they gain elevated permissions, allowing them to execute SQL commands and extract invaluable data. This extracted data encompasses information on databases, schemas, table names, versions, network setups, and various permissions.
If the infiltrated application possesses high-level permissions, the perpetrators can activate certain commands to run OS instructions via SQL, providing them direct access to the host system. The actions undertaken by these actors at this juncture cover a broad spectrum:
- Surveying directories, enumerating processes, and assessing network shares.
- Downloading encoded and compacted executables along with PowerShell scripts.
- Initiating a scheduled task to instigate a backdoor script.
- Gleaning user credentials by extracting specific registry keys.
- Extracting data using a distinctive method that incorporates the ‘webhook.site’ service. This service specializes in HTTP request evaluations and email scrutiny.
The act of employing an authentic service for data exfiltration cleverly masks the hackers’ actions, making them appear less dubious. This camouflage reduces the likelihood of detection by security tools, facilitating covert data theft.
Subsequently, these actors sought to misuse the cloud identity of the SQL Server instance. Their objective was to access the IMDS and secure the cloud identity access key. Within Azure’s ecosystem, resources frequently receive managed identities to validate their communication with other cloud assets and services. If these hackers possess this key, it potentially unlocks a myriad of cloud resources.
Despite their efforts, Microsoft confirmed that the attackers stumbled in their endeavors due to certain mistakes. However, this methodology’s potential efficacy underscores a looming peril for enterprises.
To conclude their operation, the hackers eradicated any downloaded content and reversed temporary database changes to remove evidence of their intrusion.
Recommendations for Defense Microsoft advises the deployment of Defender for Cloud and Defender for Endpoint. These tools can effectively identify SQL injections and dubious SQLCMD operations, both of which were characteristic of the observed incursion.
As a preventive measure, Microsoft emphasizes the significance of adhering to the principle of least privilege while assigning user permissions. This invariably complicates any attempts at lateral movement.
For those interested in a deeper analysis, Microsoft’s report furnishes specific hunting queries for 365 Defender and Sentinel in its appendix.