Microsoft Discloses New Hacker Tactic Aimed At Azure Cloud
It’s the first time Microsoft security researchers have seen attackers try to hop from a SQL Server instance into a cloud environment.
Hackers attempted to move from a compromised SQL Server instance into Microsoft’s Azure cloud platform, according to Microsoft researchers — marking the first time the tactic has been used in this way.
While attackers have previously been known to use this approach with several cloud services — including virtual machines (VMs) and Kubernetes clusters — Microsoft had never before observed its use with SQL Server.
During the attack, threat actors were able to move from the SQL Server environment into a SQL Server instance that had been deployed in an Azure VM, Microsoft researchers wrote in a post Wednesday. The attackers then made an attempt at moving from there into “additional” cloud resources, which was unsuccessful, the researchers wrote.
As hackers continue to develop new cloud-specific techniques, they are “finding new vectors to perform lateral movement from certain on-premises environments into cloud resources,” the researchers wrote.
In this case, the attackers initially obtained access through a SQL injection vulnerability and then were able to elevate their permissions on the SQL Server instance in Azure, according to the post.
“Cloud identities are commonly used in cloud services including SQL Server and may possess elevated permissions to carry out actions in the cloud,” Microsoft researchers wrote. “This attack highlights the need to properly secure cloud identities to defend SQL Server instances and cloud resources from unauthorized access.”
Without a doubt, identity and access management is “challenging” for many organizations, and in the cloud it has added complexities, said David Menichello, director of security product management at Netrix, No. 196 on CRN’s Solution Provider 500.
“What’s pushed clients to see some challenges is the acceleration of consumption of cloud-based resources,” Menichello said. As some groups within an organization might place a higher priority on finding ways to drive down cost or bring products to market faster, rather than security, identity and access management is “not keeping pace with it,” he said.
In terms of the attack disclosed by Microsoft, the exploit of a SQL injection vulnerability — which today is much less common than it once was — is yet another example of “what’s old is new again” in the cybersecurity sphere, Menichello said.
While SQL injection may have fallen from its peak of popularity, incidents like this show that “you’ve got to continue to be diligent” about protecting against this type of attack, he said.
Injection — which includes attacks such as cross-site scripting in addition to SQL injection — fell to the No. 3 largest web application security risk in 2021, down from the No. 1 risk as of 2017, according to the Open Worldwide Application Security Project (OWASP).
In the newly disclosed attack, after exploiting the SQL injection vulnerability in the victim’s environment, hackers were able to get access — as well as elevate their permissions — on the SQL Server instance in an Azure VM.
“The attackers then used the acquired elevated permission to attempt to move laterally to additional cloud resources by abusing the server’s cloud identity,” Microsoft researchers wrote.
Ultimately, “this attack technique demonstrates an approach we’ve seen in other cloud services such as VMs and Kubernetes cluster, but not in SQL Server,” the researchers wrote.
The attackers were unsuccessful after their activities prompted “multiple Microsoft Defender for SQL alerts” and led Microsoft to “to quickly deploy additional protections,” according to the post.
“While our analysis of this attack did not yield any indication that the attackers successfully moved laterally to the cloud resources, we assess that it is important for defenders to be aware of this technique used in SQL Server instances, and what steps to take to mitigate potential attacks,” the Microsoft researchers wrote.