A new type of attack has been discovered targeting PostgreSQL databases, in which malware authors are using an image of Hollywood actress Scarlett Johansson to hide a cryptocurrency miner they intend to run on the DB’s underlying server.
The attack has been observed in a honeypot server ran by Imperva researchers. Experts say crooks gained access to a PostgreSQL database user account, where they executed payloads found in the Metasploit framework’s PostgreSQL module.
This module lets the attacker escalate his access from the DB process to the underlying server OS, while also staying under the radar of DAM (database audit monitoring) solutions.
Coinminer hidden in benign PNG image
Once attackers escalate their access, the first series of commands they run (listing the server’s CPU and GPU details) reveal their true intentions —cryptocurrency mining.
Hackers will then download a PNG file (art-981754.png) from a legitimate image hosting service —imagehousing.com. Researchers say this image (embedded below) portrays famous Hollywood actress Scarlett Johansson, at first glance, but when they looked at the image’s binary code, they found a cryptocurrency miner appended after the actual image data.
Attackers would use the Linux « dd » (data duplicator) utility to extract the coinminer embedded at the end of the image, and then spawn the new file into a new process.
This new process will use the local server to mine the Monero cryptocurrency for the hackers. All mined funds are sent the following Monero address:
4BBgotjSkvBjgx8SG6hmmhEP3RoeHNei9MZ2iqWHWs8WEFvwUVi6KEpLWdfNx6Guiq5451Fv2SoxoD7rHzQhQTVbDtfL8xS
Hackers made over $65,000
According to XMR Hunter, a service that tracks Monero addresses across mining pools, the hackers behind this campaign appear to have made 317.265615122445 Monero ($65,500), albeit it is unknown how much of this has been done using PostgreSQL servers.
Imperva has contacted imagehousing.com, which removed the image from their service, albeit hackers most likely uploaded it to another image hosting service in the meantime.
With over 710,000 PostgreSQL servers connected to the Internet, experts have put out the following recommendations for database owners:
—Use a firewall to block outgoing network traffic from your database to the internet.
—Watch out for direct calls to lo_export or indirect calls through entries in pg_proc.
—Beware of functions calling to C-language binaries.
—Secure the default postgres user with a strong password.
There is a malware epidemic going on, with multiple malware groups engaged in spreading cryptocurrency mining malware. Besides PostgreSQL databases, hacker groups have previously targeted Redis, OrientDB, Oracle WebLogic, Windows Server, Apache Solr, Apache Struts, and various other DB and server technologies in the past few months.
To read the original article: