Microsoft has detailed a new campaign in which attackers unsuccessfully attempted to move laterally to a cloud environment through an SQL Server instance.
"The attackers initially exploited a SQL injection vulnerability in an application within the target's environment," security researchers Sunders Bruskin, Hagai Ran Kestenberg, and Fady Nasereldeen said in a Tuesday report.
"This allowed the attacker to gain access and elevated permissions on a Microsoft SQL Server instance deployed in Azure Virtual Machine (VM)."
In the next stage, the threat actors leveraged the new permissions to attempt to move laterally to additional cloud resources by abusing the server's cloud identity, which may possess elevated permissions to likely carry out various malicious actions in the cloud that the identity has access to.
Microsoft said it did not find any evidence to suggest that the attackers successfully moved laterally to the cloud resources using the technique.
"Cloud services like Azure use managed identities for allocating identities to the various cloud resources," the researchers said. "Those identities are used for authentication with other cloud resources and services."
The starting point of the attack chain is an SQL injection against the database server that allows the adversary to run queries to gather information about the host, databases, and network configuration.
In the observed intrusions, it's suspected that the application targeted with the SQL injection vulnerability had elevated permissions, which permitted the attackers to enable the xp_cmdshell option to launch operating system commands to proceed to the next phase.
This included conducting reconnaissance, downloading executables and PowerShell scripts, and setting up persistence via a scheduled task to start a backdoor script.
Data exfiltration is achieved by taking advantage of a publicly accessible tool called webhook[.]site in an effort to stay under the radar, since outgoing traffic to the service is deemed legitimate and unlikely to be flagged.
"The attackers tried utilizing the cloud identity of the SQL Server instance by accessing the [instance metadata service] and obtaining the cloud identity access key," the researchers said. "The request to IMDS identity's endpoint returns the security credentials (identity token) for the cloud identity."
The ultimate goal of the operation appears to have been to abuse the token to perform various operations on cloud resources, including lateral movement across the cloud environment, although it ended in failure due to an unspecified error.
The development underscores the growing sophistication of cloud-based attack techniques, with bad actors constantly on the lookout for over-privileged processes, accounts, managed identities, and database connections to conduct further malicious activities.
"This is a technique we are familiar with in other cloud services such as VMs and Kubernetes cluster but haven't seen before in SQL Server instances," the researchers concluded.
"Not properly securing cloud identities can expose SQL Server instances and cloud resources to similar risks. This method provides an opportunity for the attackers to achieve greater impact not only on the SQL Server instances but also on the associated cloud resources."
The development comes weeks after the AhnLab Security Emergency response Center (ASEC) revealed that poorly-secured MS SQL server instances are the target of a new variant of Gh0st RAT called HiddenGh0st that installs Hidden, an open-source rootkit that offers the capability to "hide the presence of malware infections from users or hinder the removal of malware."
