A recent cyberattack campaign exploited a SQL injection vulnerability in an application , allowing hackers to gain access and elevated permissions on a Microsoft SQL Server instance deployed in Azure Virtual Machine  . The attackers attempted to move laterally within Microsoft’s Azure cloud platform but were unsuccessful. This incident highlights the growing sophistication of cloud-based attack techniques and the importance of securing cloud identities .
The attack began with a SQL injection , enabling the attackers to gather information , run operating system commands , conduct reconnaissance , download executables and PowerShell scripts , and set up persistence via a scheduled task . They also attempted data exfiltration using a publicly accessible tool called webhook[. ]site. To further their attack, the hackers accessed the instance metadata service and obtained the cloud identity access key , with the goal of abusing the token to perform various operations on cloud resources . However, the attack ended in failure due to an unspecified error .
The attackers exploited a SQL injection vulnerability to gain access to a Microsoft SQL Server instance running on an Azure Virtual Machine (VM) and obtained elevated permissions . They then tried to access further cloud resources by abusing the server’s cloud identity  . The attack involved gathering information , obtaining PowerShell scripts  , and establishing persistence through a backdoor script . The attackers also attempted to exfiltrate data using a legitimate outbound traffic service .
This incident highlights the importance of properly securing cloud identities to prevent similar risks  . Swift response and enhanced protection measures , such as those provided by Microsoft Defender for SQL alerts, are crucial as organizations migrate to the cloud . Robust defenses , asset protection , least privilege practices  , and limited permissions are essential in mitigating risks. The attack tactic observed in this campaign, involving moving from a compromised SQL Server instance into Microsoft’s Azure cloud platform , is a new approach for SQL Server. The sophistication of cloud-based attack approaches is increasing , and it is crucial to secure cloud identities to prevent future incidents.