Microsoft has raised alarm about a new hacking trend targeting cloud environments, with hackers exploiting vulnerabilities in Microsoft SQL Servers susceptible to SQL injection attacks. This attack method, previously seen in other contexts like VMs and Kubernetes clusters, is now being leveraged against SQL Servers, posing a significant threat.
Furthermore, the attack chain begins with the exploitation of an SQL injection vulnerability within an application, providing attackers access to Azure Virtual Machine-hosted SQL Server instances with elevated permissions. This access allows them to execute SQL commands, access sensitive data, and potentially take control of the host’s operating system.
The compromised applications can grant attackers elevated permissions, enabling the activation of the ‘xp_cmdshell’ command, allowing them to run OS commands through SQL, effectively gaining control of the host. The attackers use various commands to read directories, download executables and scripts, set up backdoors, retrieve user credentials, and exfiltrate data using the ‘webhook.site’ service, making their activities appear less suspicious.
Additionally, the attackers attempt to exploit the cloud identity of the SQL Server instance to access the Instant Metadata Service and obtain the cloud identity access key, which can provide access to other cloud resources.
Microsoft recommends using Defender for Cloud and Defender for Endpoint to detect SQL injections and suspicious SQLCMD activity. They also stress the importance of applying the principle of least privilege to user permissions, adding friction to lateral movement attempts. This recent trend highlights the evolving tactics of hackers targeting cloud environments, necessitating robust security measures and vigilance to protect against such threats effectively.
