Unexpected Azure API calls indicating MySQL firewall rule modification
Description
AlphaSOC detected modification of an Azure MySQL Flexible Server firewall rule
via Microsoft.DBforMySQL/flexibleServers/firewallRules/write. Firewall rules
control which IP addresses can connect to the database server.
Adversaries may modify firewall rules to enable external access to databases, allowing them to connect from attacker-controlled infrastructure. This can facilitate data exfiltration, unauthorized queries, or brute force attacks against database credentials.
Impact
Firewall rule modifications can expose database servers to unauthorized network access. Attackers may add rules to allow connections from malicious infrastructure, enabling data theft, credential harvesting, or database manipulation. Weakened network controls increase the risk of brute force attacks and exploitation of database vulnerabilities.
Severity
| Severity | Condition |
|---|---|
Low | Firewall rule modification detected |
Medium | Anomalous firewall rule modification |
Investigation and Remediation
Review Azure Activity logs for
Microsoft.DBforMySQL/flexibleServers/firewallRules/write events. Examine the
IP ranges added or modified and verify if they correspond to legitimate
infrastructure. Check if the changes were authorized through change management
processes.
If unauthorized, remove the suspicious firewall rules immediately. Review database connection logs for access from unexpected IP addresses during the exposure window. Rotate database credentials and investigate the compromised identity for additional malicious activity.