Recent Attacks on SQL Server VMs in Microsoft Azure
Poorly secured SQL Server VMs in Microsoft Azure are being attacked. And they are being used as a beachhead for additional exploits. According to a recent Microsoft warning, these attacks allow the bad actors to gain access to cloud resources without having to compromise the underlying infrastructure.
How the attack works
In the warning, Microsoft says that hackers typically start by exploiting SQL injection vulnerabilities in web applications. They embed and submit malicious code into web forms which is parsed and executed by SQL Server. This vulnerability allows them to run native SQL code in the SQL Server. Then they explore to see what they can do.
Often, they will extract sensitive data such as sensitive data, login credentials, and role information. That’s bad enough. But they don’t stop there.
Once they have access to the SQL Server, they use the cloud identity of the SQL Server instance to access other cloud resources, such as storage accounts, other virtual machines, and other SQL Servers.
They can effectively take over the Azure cloud infrastructure using the SQL Server VM.
Protecting your SQL Server VMs in Microsoft Azure
A multi-layered approach to security is best. And one of those layers should be the security posture of your SQL Server environment. Specifically, you should:
- Patch: Keep your SQL Servers up to date with the latest Cumulative Updates and security patches.
- MFA: Use strong passwords and multi-factor authentication for all SQL Server accounts.
- Secure: Implement least privilege access for all SQL Server accounts.
- Monitor: Proactively monitor SQL server logs for suspicious activity.
- Audit: Leverage auditing tools such as SQL Audit to review access and changes.
- Segment: Segment your Azure environment to limit the damage that attackers can do if they do gain access.
- Educate: Educate your employees about security best practices, such as phishing awareness and password hygiene.
That’s a good start. For more information see these two resources – Protecting SQL Server from Ransomware and SQL Server Security Best Practices.
Additional resources
If you’d like some additional information about SQL Server security, here are some additional posts that may help:
- DB#JAMMER is Targeting Poorly Secured SQL Servers
- Securing Your SQL Servers, What Should You Audit?
- Who Has sysadmin Access to your SQL Servers?
- Why is it important to monitor SQL Server?
- Do I Still Need a SQL Server Health Check?
Want some help?
I recently talked with a security professional. His take: Prevention is far less costly than dealing with the aftermath of a security incident. I agree.
The threat of SQL injection attacks, and other attacks, is real. And it’s not going away. Secure your SQL Server. You can do it yourself or call a company like The SERO Group to help. But do it.
If you would like help assessing your SQL Server’s security posture, let’s talk.