Cloud Security
,
Security Operations
Microsoft Discloses Unusual Hacking Attempt
Microsoft says it spotted an unusual hacking campaign in which hackers attempted to move laterally through the Azure cloud after compromising a virtual SQL server.
See Also: Live Webinar Tomorrow | Cyber Resilience: Recovering from a Ransomware Attack
It marks the first time that cyber defenders for the computing giant have seen a lateral movement attempt in the Azure cloud with SQL Server as the starting point, the company says in a Tuesday blog post. Hackers have previously done so with VMs and Kubernetes clusters, but “but not in SQL Server.”
Microsoft says it’s disclosing the attempt despite having detected the hackers so defenders can be “aware of this technique used in SQL Server instances.”
Lateral movement is the bread-and-butter hacking method that uses an initial foothold into a network as the jumping off point for further access to data and systems. As Microsoft notes, the rise of cloud computing is leading to hackers probing for new methods to achieve lateral movement. One technique is to use the identity of the hacked cloud resource – the cloud identity – to pivot to other resources the cloud tenant has access to.
Hackers began with an SQL injection attack, likely on an application that had elevated permissions within the tenant’s Azure environment. The attackers used the elevated permission to turn on xp_cmdshell
, a method to launch operating system commands through a SQL query. Microsoft turns off the command by default in SQL Server, as a precaution.
Microsoft says the hackers performed typical hacking behavior – reading directories, listing processes, downloading “several executables and PowerShell scripts.”
It’s what they did afterward that has Redmond’s attention. They used the Azure Instance Metadata Service – aka the IMDS – to obtain the cloud identity access key of the virtual SQL Server. A IMDS query returns data such as JSON Web Token containing the claims and the signature of the identity.
With the identity token, hackers could have gone beyond the SQL Server into other cloud resoruces. They failed “due to an error,” Microsoft says. One way to head off similar future attempts, the company says, is to make sure that cloud resources operate at the least privilege level required.