Microsoft confirms Azure attacks using breached SQL servers

News
By
published

A novel approach to targeting Azure VMs

Digital clouds against a blue background.
(Image credit: Shutterstock / Blackboard)

Hackers are targeting Azure virtual machines (VM) using flawed Microsoft SQL servers as a stepping stone, security researchers have revealed.

Microsoft’s experts recently reported observing the method in action, which is also the first time someone’s used an SQL server in this way.

Starting the attack, the threat actors would first take advantage of an SQL injection vulnerability in an application on a target’s endpoint. After gaining access (as well as elevated privileges) to the instance hosted on an Azure VM, they’d run SQL commands to pull out data on things like databases, table names, schemas, database versions, and more. In some cases (depending on the vulnerable application being targeted at start), the threat actors can also end up running operating system (OS) commands via SQL, allowing them to read directories, download PowerShell scripts, run backdoors via scheduled tasks, pull user credentials, and more.

Valid approach

The next step is to try and access the Instant Metadata Service (IMDS), by exploiting the cloud identity of the SQL Server instance. That can give them a cloud identity access key - and thus a way into the Azure VM. 

While Microsoft’s researchers said the attackers they were observing couldn’t get the job done completely due to errors, the approach is “valid” and can be considered a huge threat to organizations everywhere. The final step in the attack is removing any traces of it ever happening.

To make sure they stay safe, organizations are recommended to apply the principle of least privilege when granting user permissions.

“Not properly securing cloud identities can expose SQL Server instances and cloud resources to similar risks,” Microsoft’s researchers warned in the report. “This method provides an opportunity for the attackers to achieve greater impact not only on the SQL Server instances but also on the associated cloud resources.”

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
A person holding out their hand with a digital AI symbol.
This ransomware gang is using SSH tunnels to target VMware appliances
A person using a laptop on a table.
Microsoft warns hackers have a new and devious way of distributing malware
Hook on Keyboard
Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
Latest in Security
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Red padlock open on electric circuits network dark red background
Aviaton firms hit by devious new polyglot malware
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Image of laptop infected with malware
Ransomware criminals are now sending their demands...by snail mail?
Security
Broadcom releases fixes for multiple VMware security flaws
Latest in News
An Nvidia GeForce RTX 5070
Nvidia confirms that an RTX 5070 Founders Edition is coming... just not on launch day
Microsoft UK CEO Darren Hardman AI Tour London 2025
Microsoft - UK can help drive the global AI future, but only with the proper buy-in
Asus Prime OC RTX 5070 graphics card with three fans, shown at an angle
Asus reveals Nvidia RTX 5070 launch pricing, and while one model is at MSRP – thankfully – the others make me want to give up my search for a next-gen GPU
OpenAI CEO Sam Altman attends the artificial intelligence Revolution Forum. New York, US - 13 Jan 2023
Sam Altman tweets delay to ChatGPT-4.5 launch while also proposing a shocking new payment structure
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Philips Hue lights being dimmed
Got Philips Hue lights? A free app update delivers these 3 improvements
More about security
Image of laptop infected with malware

Ransomware criminals are now sending their demands...by snail mail?
Red padlock open on electric circuits network dark red background

AI-powered cyber threats are becoming the biggest worry for businesses everywhere
LG C3 OLED TV on orange background and TechRadar 'Price Cut' text

Spring clearance: LG's highly-rated C3 OLED TV has a massive $1,200 discount at Amazon
See more latest