Microsoft confirms Azure attacks using breached SQL servers

A novel approach to targeting Azure VMs

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are targeting Azure virtual machines (VM) using flawedMicrosoftSQL servers as a stepping stone, security researchers have revealed.

Microsoft’s experts recently reported observing the method in action, which is also the first time someone’s used an SQL server in this way.

Starting the attack, the threat actors would first take advantage of an SQL injection vulnerability in an application on a target’s endpoint. After gaining access (as well as elevated privileges) to the instance hosted on an Azure VM, they’d run SQL commands to pull out data on things like databases, table names, schemas, database versions, and more. In some cases (depending on the vulnerable application being targeted at start), the threat actors can also end up runningoperating system(OS) commands via SQL, allowing them to read directories, download PowerShell scripts, run backdoors via scheduled tasks, pull user credentials, and more.

Valid approach

The next step is to try and access the Instant Metadata Service (IMDS), by exploiting thecloudidentity of the SQL Server instance. That can give them a cloud identity access key - and thus a way into the Azure VM.

While Microsoft’s researchers said the attackers they were observing couldn’t get the job done completely due to errors, the approach is “valid” and can be considered a huge threat to organizations everywhere. The final step in the attack is removing any traces of it ever happening.

To make sure they stay safe, organizations are recommended to apply the principle of least privilege when granting user permissions.

“Not properly securing cloud identities can expose SQL Server instances and cloud resources to similar risks,” Microsoft’s researchers warned in the report. “This method provides an opportunity for the attackers to achieve greater impact not only on the SQL Server instances but also on the associated cloud resources.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

The M4 Mac mini has removable, modular storage – and an important SSD upgrade