Microsoft has warned about a recent campaign where attackers failed to pivot to a cloud environment via an SQL Server instance. In a report published on Tuesday, security experts provided insights into this incident.
How did it start?
The attackers initiated their assault by exploiting a vulnerability involving SQL injection within an application in the target’s environment.
This initial exploitation granted them access and elevated permissions on a Microsoft SQL Server instance deployed within an Azure Virtual Machine (VM).
In the subsequent phase, the threat actors leveraged these newfound permissions in an effort to move laterally to other cloud resources.
They achieved this by exploiting the server’s cloud identity, which possessed elevated permissions capable of executing various malicious activities within the cloud environments it had access to.
Microsoft Analysis
It’s crucial to note that Microsoft confirmed no evidence of the attackers successfully achieving lateral movement into the cloud resources through this technique.
Cloud platforms like Azure employ managed identities to allocate identities to different cloud resources, which are used for authentication with other cloud services.
Image Description: The new alert variant could help detect and mitigate lateral movement
The attack chain commenced with an SQL injection against the database server, enabling the adversary to execute queries for gathering information about the host, databases, and network configuration.
In the observed intrusions, the targeted application with the SQL injection vulnerability was suspected to have elevated permissions.
This allowed the attackers to activate the xp_cmdshell option, enabling them to execute operating system commands and advance to the next phase.
Xp_cmdshell
This phase encompassed reconnaissance activities, downloading executables and PowerShell scripts, and establishing persistence through a scheduled task to initiate a backdoor script.
Data exfiltration was achieved by exploiting a publicly accessible tool named “webhook[.]site,” a tactic employed to evade detection, as traffic to this service appeared legitimate and less likely to arouse suspicion.
IMDS
The attackers also attempted to leverage the cloud identity of the SQL Server instance by accessing the “instance metadata service” (IMDS) to obtain the cloud identity access key.
IMDS’s endpoint provided the security credentials, including the identity token for the cloud identity.
What might be the Objectives?
The primary objective of this operation seemed to be the abuse of this token to perform various actions on cloud resources, including lateral movement within the cloud environment. Regrettably, the operation concluded in failure due to an unspecified error.
What do you think?
This incident highlights the increasing sophistication of cloud-based attack techniques, with malicious actors continuously searching for over privileged processes, accounts, managed identities, and database connections to facilitate their nefarious activities.
While this technique is not new in the context of other cloud services such as VMs and Kubernetes clusters, its application in SQL Server instances is a novel development.
Properly securing cloud identities is essential to mitigate risks and safeguard SQL Server instances and associated cloud resources.
Anas Hasan
October 5, 2023
3 years ago
