Security researchers at Microsoft have observed hackers attempting a new technique to breach Azure cloud assets.
The first part of the attack involves the threat actors exploiting an SQL injection vulnerability in an application on the target’s Azure cloud environment. Once compromised, the threat actor ran commands on the SQL server and was observed exfiltrating data via webhook.site, a free service that provides HTTP requests and email inspection and debugging.
SQL injection attacks on SQL servers are commonplace. What makes this attack unique is that the threat actor attempted to use the cloud identity of the compromised SQL server to obtain the cloud identity access key which would provide access to any cloud resource the identity has permissions to.
Fortunately, the threat actors were not successful in moving laterally within the victim’s cloud environment, in this case, due to some errors they made during their attack. However, the attack vector remains viable and represents a significant security threat for organizations running vulnerable SQL servers in their cloud environments.
Source: Bleeping Computer
Analysis
This attack is a good reminder that lateral movement is just as possible within a cloud environment as it is in an on-premise environment. It’s likely only a matter of time before threat actors correct their mistakes and find a way to take advantage of this attack vector.
SQL injection attacks are very popular among threat actors due to their simplicity and the high number of vulnerable SQL servers exposed to the internet. For example, one of the biggest compromises of 2023 was the result of an SQL vulnerability in Progress Software's MoveIT Transfer app, which compromised the sensitive data of over 2100 organizations worldwide. Many of these organizations were targets of ransomware attacks or had sensitive information breached.
Mitigation
Covalence continuously monitors Microsoft Defender for Azure cloud alerts and automatically creates AROs for potential threats, such as the detection of SQL injection and suspicious SQL commands. Covalence users are encouraged to review and action these AROs as soon as possible.
Organizations running SQL servers should ensure they are kept up to date and properly configured to validate inputted data and commands. Furthermore, organizations should consider applying the principle of least privilege to the SQL server’s cloud identity. Although this may cause some restrictions, it would make it very difficult for threat actors to move laterally from the SQL server, should it ever be compromised.
Related articles
