Image: John Schnobrich (unsplash)
Recent observations have shown hackers attempting to infiltrate cloud platforms via Microsoft SQL Servers susceptible to SQL injection.
Microsoft’s team of security researchers have noted that this method of lateral movement was identified in previous assaults on different services, including VMs and Kubernetes clusters.
It’s noteworthy to mention that this marks the first occasion where SQL Servers have been utilized in this manner.
Breakdown of the Attack
The episodes documented by Microsoft commenced with the exploitation of an SQL injection flaw in a program within the victim’s setup.
This action provided the malicious individuals with entry to the SQL Server instance, housed on Azure Virtual Machine. This level of access granted them enhanced permissions to run SQL commands and retrieve crucial data.
The type of data accessed spans databases, table details, database structures, versions, network setup, and permissions to read, write, or delete.
When the compromised software has elevated rights, the culprits can engage the ‘xp_cmdshell’ command. This allows them to execute operating system commands via SQL, granting them a commanding position within the host.
During this phase, the malicious actions included:
- Surveying directories, enumerating processes, and reviewing network shares.
- Downloading encoded and zipped executables alongside PowerShell scripts.
- Instituting a timed task to initiate a covert script.
- Gathering user data by extracting information from the SAM and SECURITY registry keys.
- Relaying data through a distinctive technique using the ‘webhook.site’ free tool, which aids in scrutinizing HTTP requests and overseeing emails.
The choice to employ a recognized service for data conveyance lessens the chances of this behavior being flagged as questionable, thus enabling the malicious actors to quietly extract data.
Subsequently, there was an effort by these individuals to exploit the cloud identity associated with the SQL Server instance. Their aim was to tap into the IMDS (Instant Metadata Service) and secure the cloud identity access token.
Within Azure, resources typically have assigned managed identities for authentication procedures with other cloud assets and services. Possession of this token by the intruders means they have the capability to tap into any cloud asset that the identity can access.
Microsoft commented that, despite the attackers’ efforts, they couldn’t fully harness this method due to some mistakes. Nevertheless, the strategy stands as a potent risk for corporations.
To conclude their intrusion, the malicious individuals deleted any downloaded content and eradicated temporary database changes, ensuring no evidence of their activities remained.
For defense, Microsoft endorses the adoption of Defender for Cloud and Defender for Endpoint. These tools are adept at detecting SQL injections and unusual SQLCMD actions, both of which were evident in the witnessed assault.
To diminish potential risks, Microsoft advises the enforcement of the “least privilege” principle in user permission allocations, which invariably impedes unauthorized access.
For those interested, Microsoft’s detailed report offers hunting queries specifically for 365 Defender and Sentinel in its appendix.