Hackers target PostgreSQL servers

A new type of attack has been discovered targeting PostgreSQL databases, in which malware authors are using an image of Hollywood actress Scarlett Johansson to hide a cryptocurrency miner they intend to run on the DB's underlying server.

The attack has been observed in a honeypot server ran by Imperva researchers. Experts say crooks gained access to a PostgreSQL database user account, where they executed payloads found in the Metasploit framework's PostgreSQL module.

This module lets the attacker escalate his access from the DB process to the underlying server OS, while also staying under the radar of DAM (database audit monitoring) solutions.

Coinminer hidden in benign PNG image

Once attackers escalate their access, the first series of commands they run (listing the server's CPU and GPU details) reveal their true intentions —cryptocurrency mining.

Hackers will then download a PNG file (art-981754.png) from a legitimate image hosting service —imagehousing.com. Researchers say this image (embedded below) portrays famous Hollywood actress Scarlett Johansson, at first glance, but when they looked at the image's binary code, they found a cryptocurrency miner appended after the actual image data.

Scarlett Johansson image used by attackers

Attackers would use the Linux "dd" (data duplicator) utility to extract the coinminer embedded at the end of the image, and then spawn the new file into a new process.

This new process will use the local server to mine the Monero cryptocurrency for the hackers. All mined funds are sent the following Monero address:

4BBgotjSkvBjgx8SG6hmmhEP3RoeHNei9MZ2iqWHWs8WEFvwUVi6KEpLWdfNx6Guiq5451Fv2SoxoD7rHzQhQTVbDtfL8xS

Hackers made over $65,000

According to XMR Hunter, a service that tracks Monero addresses across mining pools, the hackers behind this campaign appear to have made 317.265615122445 Monero ($65,500), albeit it is unknown how much of this has been done using PostgreSQL servers.

XMR Hunter wallet

Imperva has contacted imagehousing.com, which removed the image from their service, albeit hackers most likely uploaded it to another image hosting service in the meantime.

With over 710,000 PostgreSQL servers connected to the Internet, experts have put out the following recommendations for database owners:

—Make sure your database is not assigned with a public IP address. If it is, restrict access only to the hosts that interact with it (application server or clients owned by DBAs).
—Use a firewall to block outgoing network traffic from your database to the internet.
—Watch out for direct calls to lo_export or indirect calls through entries in pg_proc.
—Beware of functions calling to C-language binaries.
—Secure the default postgres user with a strong password.

There is a malware epidemic going on, with multiple malware groups engaged in spreading cryptocurrency mining malware. Besides PostgreSQL databases, hacker groups have previously targeted Redis, OrientDB, Oracle WebLogic, Windows Server, Apache Solr, Apache Struts, and various other DB and server technologies in the past few months.

Image credits: Disney, Bleeping Computers

Related Articles:

Rakhni Ransomware Adds Coinminer Component

CoinMiner Campaigns Move to the Cloud via Docker, Kubernetes

CryptoCurrency Miner Plays Hide-and-seek with Popular Games and Tools

Robocall Firm Exposes Hundreds of Thousands of US Voters' Records

Russia Runs Incomplete, Slow, Sloppy Vulnerability Database