In a startling revelation, security researchers have uncovered a new and alarming cyber threat landscape. Hackers have turned their sights on Azure virtual machines (VMs), leveraging flawed Microsoft SQL servers as a stepping stone. This unconventional approach marks the first known instance of SQL servers being exploited in this manner.
The Unconventional Attack
The attack commences with threat actors exploiting an SQL injection vulnerability within an application on the target’s endpoint. Once they gain access, along with elevated privileges, to the instance hosted on an Azure VM, they wield SQL commands to extract vital information. This includes databases, table names, schemas, database versions, and more. Depending on the targeted application’s vulnerability, the threat actors can even execute operating system (OS) commands via SQL. This grants them access to read directories, download PowerShell scripts, establish backdoors via scheduled tasks, acquire user credentials, and more.
Pursuing the Azure VM
Subsequently, the attackers aim to access the Instant Metadata Service (IMDS) by exploiting the cloud identity of the SQL Server instance. This tactic yields a cloud identity access key, providing a gateway into the Azure VM.
While Microsoft’s researchers noted that the attackers they observed faced difficulties in completing their mission, this novel approach remains a “valid” threat and poses a significant danger to organizations worldwide. The final step in the attack involves erasing all traces of its existence.
Protecting Against the Threat
To safeguard their systems, organizations are strongly advised to implement the principle of least privilege when granting user permissions. Neglecting to secure cloud identities properly can leave SQL Server instances and cloud resources vulnerable to similar risks. Microsoft’s researchers have issued a stern warning in their report, emphasizing the potential for attackers to inflict greater damage not only on SQL Server instances but also on associated cloud resources.
