Cloud Security , Security Operations
Attackers Exploit SQL Server to Penetrate Azure Cloud
Microsoft Discloses Unusual Hacking AttemptMicrosoft says it spotted an unusual hacking campaign in which hackers attempted to move laterally through the Azure cloud after compromising a virtual SQL server.
See Also: Delivering Globally Consistent App Performance to the Hybrid Workforce
It marks the first time that cyber defenders for the computing giant have seen a lateral movement attempt in the Azure cloud with SQL Server as the starting point, the company said in a Tuesday blog post. Hackers have previously done so with VMs and Kubernetes clusters, but "but not in SQL Server."
Microsoft said it is disclosing the attempt despite having detected the hackers so defenders can be "aware of this technique used in SQL Server instances."
Lateral movement is the bread-and-butter hacking method that uses an initial foothold into a network as the jumping-off point for further access to data and systems. Microsoft said the rise of cloud computing is leading to hackers probing for new methods to achieve lateral movement. One technique is to use the identity of the hacked cloud resource - the cloud identity - to pivot to other resources to which the cloud tenant has access.
Hackers began with an SQL injection attack, likely on an application that had elevated permissions within the tenant's Azure environment. The attackers used the elevated permission to turn on xp_cmdshell
, a method to launch operating system commands through a SQL query. Microsoft turns off the command by default in SQL Server, as a precaution.
Microsoft said the hackers performed typical hacking behavior - reading directories, listing processes, downloading "several executables and PowerShell scripts."
It's what they did afterward that has Redmond's attention. They used the Azure Instance Metadata Service - aka the IMDS - to obtain the cloud identity access key of the virtual SQL Server. An IMDS query returns data such as JSON Web Token containing the claims and the signature of the identity.
With the identity token, hackers could have gone beyond the SQL Server into other cloud resources. They failed "due to an error," Microsoft said. One way to head off similar future attempts, the company said, is to make sure that cloud resources operate at the least privilege level required.