Attackers attempted lateral movement into a cloud environment via a SQL Server instance in a recent campaign, as outlined by Microsoft.
In a report published on Tuesday, security experts Sunders Bruskin, Hagai Ran Kestenberg, and Fady Nasereldeen highlighted that “the attackers initially exploited a SQL injection vulnerability in an application within the target’s environment.”
[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing
This granted the attacker access to a Microsoft SQL Server instance hosted on an Azure Virtual Machine (VM), providing them with elevated permissions.
Subsequently, the threat actors sought to access additional cloud resources by exploiting the server’s cloud identity. This identity might have granted them heightened permissions to execute various malicious activities within the accessible cloud environment.
Microsoft stated that there was no evidence suggesting that the attackers had successfully employed this method to move laterally to cloud resources.
“Cloud services like Azure use managed identities for allocating identities to the various cloud resources,” the researchers noted. The authentication process for additional cloud resources and services relies on these IDs.
The SQL injection against the database server acts as the starting point for the attack chain, allowing the adversary to execute queries and gather information about the host, databases, and network configuration.
The application affected by the SQL injection vulnerability in these identified intrusions is believed to have had elevated permissions. This allowed the xp_cmdshell option to be activated, enabling the execution of operating system commands and advancing to the next stage.
This stage involved collecting information, acquiring PowerShell scripts and executables, and establishing persistence by setting up a scheduled task to initiate a backdoor script.
To achieve covert data exfiltration and minimize the risk of detection, the attackers utilized the publicly available tool webhook[.]site. Outbound traffic to this service was considered legitimate and less likely to raise suspicion.
According to the researchers, “the attackers tried using the SQL Server instance’s cloud identity by accessing the [instance metadata service] and obtaining the cloud identity access key.” “The identity token for the cloud identity is returned by the request to the IMDS identity’s endpoint.”
While the attempt ultimately failed due to an unspecified issue, the operation’s underlying objective seems to have been the exploitation of this token to perform various actions on cloud resources, including lateral movement within the cloud environment.
This development underscores the growing sophistication of cloud-based attack strategies, showcasing how malicious actors are constantly seeking highly privileged processes, accounts, controlled identities, and database connections to engage in illicit activities.
“This is a technique we are familiar with in other cloud services such as VMs and Kubernetes cluster but haven’t seen before in SQL Server instances,” noted the researchers in their analysis.
SQL Server instances and cloud resources remain susceptible to similar threats without proper security measures for cloud identities. Through this technique, attackers could significantly impact not only SQL Server instances but also other interconnected cloud resources.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.