It's not the first time an image has been used to give a victim malware, but it may be the first time it's been used so narrowly. According to the security firm Imperva, their StickyDB database management system (DBMS) honeypot has uncovered an attack that places malware, which cryptomines Monero, on PostgreSQL DBMS servers. Its attack vector? An image of Hollywood star Scarlett Johansson.
Now, you might ask, "How many PostgreSQL DBMS servers are out there on the internet to be attacked?" The answer: "More than you'd expect." A Shodan search revealed almost 710,000 PostgreSQL servers ready to be hacked. It appears there are so many of them because it's way too easy, especially on Amazon Web Services (AWS), to set up PostgreSQL servers without security.
Cryptocurrency malware attacks are becoming increasingly more common. Why not? They're profitable. The Smominru miner alone has infected at least half a million machines, mostly Windows servers, and has made at least $3.6 million.
While Smominru used the relatively sophisticated EternalBlue exploit to speak, this method of attack, steganography, the hiding of data or malware in an image, is older than the hills. In this attack, what appears to be a G-rated image of Scarlett has a malware payload.
Once a victim downloads the image it tries to brute force its way into your DBMS. Since a PostgreSQL instance shouldn't be simply sitting on the internet in the first place, chances are good that it hasn't been secured in other ways either. A compromised system then uses PostgreSQL to run invoke Linux or Unix shell commands to install a Monero cryptocurrency miner.
Besides trying to spread itself to other targets and hide itself, the program starts looking to see if your server has access to a GPU. Without one of those, your server, whether bare-metal or virtual, is going to be doing a cryptominer much good.
If it is successful, the first thing you'll know about it is when your monthly cloud bill is far higher than expected. According to Imperva, most antivirus programs fail to detect this attack.
So, what can you do? Imperva recommends:
- Watch out of direct PostgreSQL calls to lo_export or indirect calls through entries in pg_proc.
- Beware of PostgreSQL functions calling to C-language binaries.
- Use a firewall to block outgoing network traffic from your database to the internet.
- Make sure your database is not assigned with public IP address. If it is, restrict access only to the hosts that interact with it (application server or clients owned by DBAs).
In other words, once more the best security recommendation is to practice server security 101, and you should be immune to such attacks. And, if you must ogle the lovely Ms. Johansson, make sure you only look at safe pictures.