Microsoft confirms Azure attacks using breached SQL servers

Digital clouds against a blue background.
(Image credit: Shutterstock / Blackboard)

Hackers are targeting Azure virtual machines (VM) using flawed Microsoft SQL servers as a stepping stone, security researchers have revealed.

Microsoft’s experts recently reported observing the method in action, which is also the first time someone’s used an SQL server in this way.

Starting the attack, the threat actors would first take advantage of an SQL injection vulnerability in an application on a target’s endpoint. After gaining access (as well as elevated privileges) to the instance hosted on an Azure VM, they’d run SQL commands to pull out data on things like databases, table names, schemas, database versions, and more. In some cases (depending on the vulnerable application being targeted at start), the threat actors can also end up running operating system (OS) commands via SQL, allowing them to read directories, download PowerShell scripts, run backdoors via scheduled tasks, pull user credentials, and more.

Valid approach

The next step is to try and access the Instant Metadata Service (IMDS), by exploiting the cloud identity of the SQL Server instance. That can give them a cloud identity access key - and thus a way into the Azure VM. 

While Microsoft’s researchers said the attackers they were observing couldn’t get the job done completely due to errors, the approach is “valid” and can be considered a huge threat to organizations everywhere. The final step in the attack is removing any traces of it ever happening.

To make sure they stay safe, organizations are recommended to apply the principle of least privilege when granting user permissions.

“Not properly securing cloud identities can expose SQL Server instances and cloud resources to similar risks,” Microsoft’s researchers warned in the report. “This method provides an opportunity for the attackers to achieve greater impact not only on the SQL Server instances but also on the associated cloud resources.”

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.