Microsoft security researchers report observing hackers attempting to breach cloud environments via SQL Servers vulnerable to SQL injection. This lateral movement hacking technique has previously been seen in attacks on other services, such as virtual machines (VMs) and Kubernetes clusters.
Attacks begin by exploiting a SQL injection vulnerability in an application in the target’s environment. According to researchers, this allows threat actors to gain access to the SQL Server instance hosted on the Azure virtual machine with elevated permissions to execute SQL commands and extract valuable data. This includes data about databases, table names, schemas, database versions, network configuration, and read/write/delete permissions.
If the compromised application has elevated permissions, attackers can enable the “xp_cmdshell” command to execute operating system (OS) commands via SQL, giving them a shell on the host.
Using a legitimate service for data exfiltration makes the activity less likely to appear suspicious or trigger any indicators by security products, allowing attackers to discreetly steal data from the host. They can then attempt to exploit the SQL Server instance’s cloud identity to access the Instant Metadata Service (IMDS) and obtain the cloud identity access key.
Microsoft suggests using Defender for Cloud and Defender for Endpoint to capture SQL injections and suspicious SQLCMD activity, both of which were employed in the observed attack. To mitigate the threat, the company recommends applying the principle of least privilege when granting user permissions, which always adds friction in lateral movement attempts. Search queries for 365 Defender and Sentinel are provided in the English appendix of the report from Microsoft.
Source: CisoAdvisor
