PostgreSQL malware, which cryptomines the digital currency Monero, is being placed on PostgreSQL DBMS servers using an image of Hollywood actress Scarlett Johansson as its attack vector. According to security firm Imperva, whose StickyDB database management system (DBMS) honeypot uncovered the attack, once a victim downloads the image it tries to force its way into your DBMS. A compromised system is then forced into using PostgreSQL to invoke Linux or Unix shell commands, which go ahead and install a Monero cryptocurrency miner.
Cryptocurrency malware attacks are on the rise because of the growth in value of cryptocurrencies, and the fact that they often elude detection making them potentially highly profitable. The Smominru miner, for instance, has already infected half a million machines, mainly Windows servers, making at least $3.6 million for its operators.
A PostgreSQL instance, like the Memcached servers used in the recent groundbreaking DDoS attacks, should not be exposed to the Internet in the first place. If they are, then it’s unlikely that they have been secured in multiple other ways either. Indeed a Shodan search (the search engine for IoT devices) revealed that nearly 710,000 PostgreSQL servers are vulnerable to attack. There are so many of them because it is very easy to set them up without security procedures in place, particularly on Amazon Web Services (AWS).
The method of attack being used in PostgreSQL is called stenography, meaning the hiding of data or malware behind an image. It’s a relatively well-worn technique; and in this instance, a G-rated image of Johansson is the lure for its victims as behind it lurks a malware payload.
Once it has infected a machine, it will start to look around to discern whether or not your server has access to a GPU, which it needs in order to really make a profit.
If it is successful, the way in which the computer owner will likely first notice its presence is not via an antivirus program (according to Imperva, most antivirus programs fail to detect this kind of attack), but actually if your monthly cloud bill is much larger than expected – because of the GPU power being exploited.
Imperva has several recommendations to prevent it from happening:
- Be alert to direct PostgreSQL calls to lo_export or indirect calls through entries in pg_proc;
- Be wary of PostgreSQL functions calling to C-language binaries;
- Deploy a firewall to block outgoing network traffic from your database to the Internet;
- Ensure that your database is not assigned with a public IP address. If you find that it is, then restrict access to the hosts that interact with it (application server or clients owned by DBAs).