Hackers attempted to move from a compromised SQL Server instance into Microsoft’s Azure cloud platform, according to Microsoft researchers — marking the first time the tactic has been used in this way.
While attackers have previously been known to use this approach with several cloud services — including virtual machines (VMs) and Kubernetes clusters — Microsoft had never before observed its use with SQL Server.
During the attack, threat actors were able to move from the SQL Server environment into a SQL Server instance that had been deployed in an Azure VM, Microsoft researchers wrote in a post this week.
The attackers then made an attempt at moving from there into “additional” cloud resources, which was unsuccessful, the researchers wrote.
As hackers continue to develop new cloud-specific techniques, they are “finding new vectors to perform lateral movement from certain on-premises environments into cloud resources,” the researchers wrote.
In this case, the attackers initially obtained access through a SQL injection vulnerability and then were able to elevate their permissions on the SQL Server instance in Azure.
“Cloud identities are commonly used in cloud services including SQL Server and may possess elevated permissions to carry out actions in the cloud,” Microsoft researchers wrote.
“This attack highlights the need to properly secure cloud identities to defend SQL Server instances and cloud resources from unauthorised access.”
In terms of the attack disclosed by Microsoft, the exploit of a SQL injection vulnerability — which today is much less common than it once was — is yet another example of “what’s old is new again” in the cybersecurity sphere, Menichello said.
While SQL injection may have fallen from its peak of popularity, incidents like this show that “you’ve got to continue to be diligent” about protecting against this type of attack, he said.
Injection — which includes attacks such as cross-site scripting in addition to SQL injection — fell to the third largest web application security risk in 2021, down from the number one risk as of 2017, according to the Open Worldwide Application Security Project (OWASP).
In the newly disclosed attack, after exploiting the SQL injection vulnerability in the victim’s environment, hackers were able to get access — as well as elevate their permissions — on the SQL Server instance in an Azure VM.
“The attackers then used the acquired elevated permission to attempt to move laterally to additional cloud resources by abusing the server’s cloud identity,” Microsoft researchers wrote.
Ultimately, “this attack technique demonstrates an approach we’ve seen in other cloud services such as VMs and Kubernetes cluster, but not in SQL Server,” the researchers wrote.
The attackers were unsuccessful after their activities prompted “multiple Microsoft Defender for SQL alerts” and led Microsoft to “to quickly deploy additional protections.”
“While our analysis of this attack did not yield any indication that the attackers successfully moved laterally to the cloud resources, we assess that it is important for defenders to be aware of this technique used in SQL Server instances, and what steps to take to mitigate potential attacks,” the Microsoft researchers wrote.
This article originally appeared at crn.com
——————————————————–
