A recent cyberattack campaign exploited a SQL injection vulnerability in an application [5], allowing hackers to gain access and elevated permissions on a Microsoft SQL Server instance deployed in Azure Virtual Machine [1] [3]. The attackers attempted to move laterally within Microsoft’s Azure cloud platform but were unsuccessful. This incident highlights the growing sophistication of cloud-based attack techniques and the importance of securing cloud identities [1].


The attack began with a SQL injection [1], enabling the attackers to gather information [1], run operating system commands [1], conduct reconnaissance [1], download executables and PowerShell scripts [1], and set up persistence via a scheduled task [1]. They also attempted data exfiltration using a publicly accessible tool called webhook[. [1]]site. To further their attack, the hackers accessed the instance metadata service and obtained the cloud identity access key [1], with the goal of abusing the token to perform various operations on cloud resources [1]. However, the attack ended in failure due to an unspecified error [1].

The attackers exploited a SQL injection vulnerability to gain access to a Microsoft SQL Server instance running on an Azure Virtual Machine (VM) and obtained elevated permissions [4]. They then tried to access further cloud resources by abusing the server’s cloud identity [1] [4]. The attack involved gathering information [4], obtaining PowerShell scripts [1] [4], and establishing persistence through a backdoor script [4]. The attackers also attempted to exfiltrate data using a legitimate outbound traffic service [4].


This incident highlights the importance of properly securing cloud identities to prevent similar risks [1] [2]. Swift response and enhanced protection measures [3], such as those provided by Microsoft Defender for SQL alerts, are crucial as organizations migrate to the cloud [3]. Robust defenses [3], asset protection [3], least privilege practices [3] [5], and limited permissions are essential in mitigating risks. The attack tactic observed in this campaign, involving moving from a compromised SQL Server instance into Microsoft’s Azure cloud platform [2], is a new approach for SQL Server. The sophistication of cloud-based attack approaches is increasing [4], and it is crucial to secure cloud identities to prevent future incidents.


[1] https://thehackernews.com/2023/10/microsoft-warns-of-cyber-attacks.html
[2] https://www.crn.com/news/security/microsoft-discloses-new-hacker-tactic-aimed-at-azure-cloud
[3] https://cisotimes.com/cloud-lateral-movement-via-exploited-sql-servers/
[4] https://www.cryptus.in/hackingnews/microsoft-issues-a-cyber-attack-warning-regarding-attempts-to-hack-cloud-using-sql-server-instance/
[5] https://itssecurityyall.substack.com/p/microsoft-warns-of-new-sql-server