TotalCloud Insights: Safeguarding Your Cloud Database from SQL Server Threats and Lateral Movement Risks

Rahul Pareek

Last updated on: June 3, 2024

Introduction

In today’s tech-driven world, cloud computing has completely changed how businesses store and manage their data. It offers many advantages, like flexibility, scalability, and cost savings, making it a go-to choice for organizations of all sizes. Keeping your data secure, especially in databases, is crucial, as cybercriminals always seek ways to gain unauthorized access to sensitive information.

Ensuring your database’s safety in the cloud is a top priority. A data breach can be disastrous, leading to financial losses, legal trouble, and damage to your reputation. Understanding comprehensive database security strategies is essential to protect your valuable data from ever-evolving digital threats.

In this blog, we will dive deep into the world of database security in the cloud. We’ll explore challenges and show you some of the best database protection practices. We’ll cover everything from the basics of database security to more advanced topics like encryption and access controls.

Recent Attacks & Emerging Threats: Azure SQL Server Lateral Movement

Microsoft’s security experts discovered a troubling cyberattack. The attackers tried to break into a cloud environment by targeting a SQL Server instance. This is a significant change from the usual methods in other cloud services like Virtual Machines (VMs) and Kubernetes clusters.

SQL Server Lateral Movement: Emerging Threats and Defense Strategies

The attackers could infiltrate the victim’s environment by exploiting a critical SQL injection vulnerability in one of their applications. SQL injection is a security vulnerability where hackers use tools like SQLMap, Havij, SQLNinja, BSQL Hacker, NoSQLMap, and MSSQL Injection Tools to inject unauthorized SQL code through user inputs to access databases and sensitive data. In this case, once they gained access, the attackers could elevate their permissions within a Microsoft SQL Server instance hosted on an Azure Virtual Machine (VM). With these elevated permissions, they attempted to infiltrate additional cloud resources by manipulating the server’s cloud identity. It’s important to note that cloud identities are widely used in various cloud services like SQL Server, and they can hold permissions that enable actions within the cloud.

Multiple alerts generated by Microsoft Defender for SQL were used to discover this nefarious attack. These alerts served as invaluable warning signs, enabling Microsoft to identify and thoroughly analyze the lateral movement technique used in the cloud environment. Furthermore, these alerts empowered them to swiftly deploy enhanced security measures, even though they lacked complete visibility into the application targeted by the SQL injection vulnerability and served as the entry point to the SQL Server.

Fortunately, Microsoft’s analysis did not reveal any concrete evidence of the attackers successfully infiltrating additional cloud resources through lateral movement. However, this should not downplay the significance of this discovery. We strongly urge defenders to remain vigilant, stay informed about this emerging technique in SQL Server instances, and take the necessary steps to protect your organization against potential attacks. The security of your cloud environment and sensitive data depends on it.

Delving into the Cyberattack Scenario

Now, let’s dive deeper into understanding the full attack scenario in this case, as it exhibited several interesting tactics that defenders can learn from. The primary technique observed was the exploitation of SQL Server for lateral movement within the cloud environment.

Figure 2: The full attack path of the Azure SQL Server attack

The Intersection of Known Techniques in a New Context: SQL Server to Cloud Lateral Movement

Although attempting to move laterally from an SQL Server instance is a relatively new development, the attack exhibited elements commonly associated with SQL Server attacks. Initially, the attackers gained access through a successful SQL injection attack, allowing them to run queries on the SQL Server instance. They collected information about the host, databases, and network configuration, including database details, table names, database versions, and various permissions.

Notably, the application targeted by the SQL injection likely had elevated permissions, granting the attackers comparable access. They utilized this elevated access to enable the xp_cmdshell command, a method to execute operating system commands via SQL queries. This command is typically turned off by default to prevent exploitation, but the attackers manipulated their acquired permissions to activate it.

After enabling xp_cmdshell, the attackers executed a series of operating system commands, acting like they had control over the host. They used these commands to gather data by examining directories, listing processes, and inspecting network shares. The attackers also downloaded executables and PowerShell scripts that were encoded and compressed. Most of their actions were executed through PowerShell commands, scripts, and modules.

To ensure persistence, the attackers employed a scheduled task to launch a backdoor script and attempted to extract credentials by accessing the SAM and SECURITY registry keys.

In order to stay persistent, the attackers use various methods. They may manipulate registry keys or startup folders, install them as a service or scheduled task, deploy malicious browser extensions, infect the boot process, hijack DLLs, alter file system and registry permissions, or even patch system binaries.

Figure 3: Qualys EDR upcoming feature for detecting persistence via the creation of a scheduled task.

Credential dumping involves extracting credentials stored on the system or within the Azure environment using specialized tools. While Azure SQL Server itself doesn’t store passwords in plaintext due to its authentication mechanisms, attackers might target other areas where credentials are stored or cached. They may use tools like Mimikatz, ProcDump, Pwdump, Gsecdump, SAMInside, PWDumpX, etc. to extract credentials from memory, system files, SAM (Security Accounts Manager), and security registry keys. Qualys EDR has excellent capabilities for detecting these kinds of activities/attacks.

Figure 4: Qualys EDR upcoming feature for detecting credential dumping.

The attackers employed a unique method for data exfiltration, utilizing a publicly accessible service called “webhook.site.” This service is a platform for inspecting and receiving incoming HTTP requests and emails, allowing the attackers to effectively conceal their outgoing traffic.

As we delved deeper into the lateral movement technique used by the attackers, we discovered a familiar method applied in a new context. The attackers attempted to leverage the cloud identity of the SQL Server instance by accessing the instance metadata service (IMDS) to obtain the cloud identity access key. The IMDS provides information about the VM and offers the identity token, which allows access to various cloud resources and services.

Although the attackers were unsuccessful in exploiting this technique due to an error, it underscores the importance of defenders implementing best practices to protect their environments against similar attacks.

Preventing These Types of SQL Server Lateral Movement Attacks

Multilayered Cloud Database Security Strategy

Database security in the cloud, as needed to guard against this kind of attack, comprises several layers, each playing a pivotal role in protecting your data from exfiltration. Here, we’ll explore and recommend how best to protect your data from SQL Server lateral movement attacks with Qualys TotalCloud for guidance. This will help you understand how controls (known as CIDs for TotalCloud) function under each layer to protect your cloud data.

Figure 6: Qualys TotalCloud TruRisk Insights shows a publicly exposed SQL server with advanced data security disabled.

Layer 1: Network Security

The first layer involves establishing the robust firewalls crucial for filtering network traffic. Cloud-based firewalls prevent unauthorized network access to database services and conduct assessments to identify suspicious activities.

Recommendation:
Ensure that no SQL Servers allow ingress from the Internet (ANY IP) to enhance security and data protection (CID 50002). Allowing unrestricted access from any IP address on the internet increases the risk of unauthorized access, data breaches, and security vulnerabilities. Restricting access to only trusted and necessary IP addresses or networks is a critical security measure that helps prevent malicious attacks, reduce the attack surface, and maintain compliance with security best practices and data protection regulations.

Layer 2: Access Management

The second layer focuses on user access control. Authentication ensures users have a legitimate identity, typically verified via a password. Authorization then permits these authenticated users to access and perform specific operations on company data. To enhance security, it’s vital to periodically reassess and minimize the access levels of both the applications connected to SQL Server and the Azure VM. Regularly auditing for least privilege compliance helps in mitigating risks of unauthorized access.

Recommendation:
Qualys recommends configuring Azure Active Directory Admin for an SQL Server to enhance security and access control (CID 50035). By associating a specific Azure Active Directory admin with an SQL Server, you centralize and manage access to the server through Azure AD. This approach ensures that access is granted to authorized individuals or applications, helping to prevent unauthorized or malicious users from gaining control over the SQL Server. It also simplifies user management and aligns with identity and access management best practices, improving overall security and compliance.

Layer 3: Threat Detection

Layer three deals with the detection and mitigation of threats. Monitoring database activities is essential for recognizing anomalies and potential dangers.

Recommendation
Layer three focuses on threat detection, with the activation of Azure SQL Server auditing to detect anomalies and ensure compliance with standards like GDPR, HIPAA, and PCI DSS (CID 50343). This approach aids in regulatory adherence, data integrity protection, and risk management. Additionally, extending audit retention beyond 90 days enhances security and supports thorough investigations and long-term accountability (CID 50237). To further enhance security, it’s recommended to use Qualys Policy Compliance, specifically (CID 27011), to regularly check the status of the ‘xp_cmdshell’ command in SQL Servers. This ensures that this powerful feature is appropriately managed and secured, aligning with best practices for threat detection and prevention.

Layer 4: Information Protection

Layer four entails information protection through data encryption, backup procedures, and disaster recovery plans. Encryption ensures only authorized access to sensitive data. Disaster recovery enables data backup and restoration, while physical security measures limit access to cloud servers, adding an extra layer of protection.

Recommendation
Turn ON data encryption for SQL databases for security and compliance (CID 50001). Use customer-managed keys with SQL Server Transparent Data Encryption (TDE) to secure data in Azure (CID 50027). Avoid SKU Basic/Consumption for SQL PaaS databases due to limited security features; higher-tier SKUs offer better protection and compliance (CID 50453).

Conclusion

As the adoption of cloud technology continues to expand, malicious actors are evolving their tactics, making it imperative to establish robust security measures. It is essential to deploy comprehensive security strategies, such as audit logging, data encryption using customer-managed keys (CMK), and the implementation of least privilege principles. These measures are vital for curtailing the risk of unauthorized access and protecting SQL Server instances and cloud assets from potential security threats.

In our next post, we’ll review findings from the Qualys Cloud Research Team of failure rates across cloud solution providers and database security layers and the insights we take from these findings.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *