Unexpected Azure API calls indicating MySQL database modification
Description
AlphaSOC detected modifications to an Azure MySQL Flexible Server configuration
via Microsoft.DBforMySQL/flexibleServers/configurations/write or
Microsoft.DBforMySQL/flexibleServers/write operations. Changes to database
settings may impact security posture or performance. Adversaries may alter
configurations to weaken security controls, enable unauthorized access, or
prepare for data exfiltration.
Impact
Unauthorized database modifications can disable security features like SSL enforcement, enable public network access, or weaken authentication requirements. These changes may expose sensitive data to unauthorized access or create pathways for data exfiltration. Configuration changes can also disrupt database availability.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review the specific configuration changes made to the MySQL server. Verify the identity of the user who made the modifications and confirm the action was authorized. Check for changes to network access rules, SSL requirements, or authentication settings. If unauthorized changes are detected, restore the original configuration and investigate the user's account for compromise.