CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 724
- Points
- 113
Secure all your networks before a mole starts up in your cloud.
Microsoft recently identified a malicious campaign in which attackers tried to perform lateral movement to the cloud environment through an instance of SQL Server. This attack tactic demonstrates an approach that has previously been observed for accessing other cloud services, but never through SQL Server.
The attackers started by exploiting a SQL injection vulnerability in the application inside the victim's environment, which allowed them to gain extended access rights to a Microsoft SQL Server instance on Azure Virtual Machine. Further, the attackers used the acquired extended rights to try to move laterally to additional cloud resources by abusing the server's cloud identity.
Cloud IDs are commonly used in cloud services, including SQL Server, and may have extended permissions to perform actions in the cloud. While managed ids offer advantages in terms of convenience, security, and efficiency, they also carry certain risks that create a potential attack vector.
The chain of malicious actions that experts observed triggered many Microsoft Defender warnings for SQL. This made it possible to identify and analyze the lateral movement method used by hackers. Warnings also allowed you to quickly deploy additional protection.
Although the researchers did not identify any signs of successful movement of attackers across other cloud resources, experts believe it is important that security experts are aware of such an attack technique on SQL Server.
To switch to other cloud resources, attackers tried to use the cloud ID of an instance of SQL Server by accessing the IMDS service and obtaining an access key to the cloud ID. At the same time, an appeal was made to IMDS to obtain an identification token, which could then be used to perform various operations on cloud resources.
The attack highlights the importance of strong cloud identity security to protect SQL Server instances and cloud resources from unauthorized access.
Given the growing use of cloud technologies, attackers are increasingly using well-known attack methods in new environments. To reduce the risk of lateral movement attacks, organizations are encouraged to follow the best security practices for managed IDs.
Microsoft recently identified a malicious campaign in which attackers tried to perform lateral movement to the cloud environment through an instance of SQL Server. This attack tactic demonstrates an approach that has previously been observed for accessing other cloud services, but never through SQL Server.
The attackers started by exploiting a SQL injection vulnerability in the application inside the victim's environment, which allowed them to gain extended access rights to a Microsoft SQL Server instance on Azure Virtual Machine. Further, the attackers used the acquired extended rights to try to move laterally to additional cloud resources by abusing the server's cloud identity.
Cloud IDs are commonly used in cloud services, including SQL Server, and may have extended permissions to perform actions in the cloud. While managed ids offer advantages in terms of convenience, security, and efficiency, they also carry certain risks that create a potential attack vector.
The chain of malicious actions that experts observed triggered many Microsoft Defender warnings for SQL. This made it possible to identify and analyze the lateral movement method used by hackers. Warnings also allowed you to quickly deploy additional protection.
Although the researchers did not identify any signs of successful movement of attackers across other cloud resources, experts believe it is important that security experts are aware of such an attack technique on SQL Server.
To switch to other cloud resources, attackers tried to use the cloud ID of an instance of SQL Server by accessing the IMDS service and obtaining an access key to the cloud ID. At the same time, an appeal was made to IMDS to obtain an identification token, which could then be used to perform various operations on cloud resources.
The attack highlights the importance of strong cloud identity security to protect SQL Server instances and cloud resources from unauthorized access.
Given the growing use of cloud technologies, attackers are increasingly using well-known attack methods in new environments. To reduce the risk of lateral movement attacks, organizations are encouraged to follow the best security practices for managed IDs.
