A recent incident has brought to light the vulnerabilities associated with PostgreSQL databases, particularly emphasizing the risks posed by weak password practices. An attacker successfully executed a brute-force attack, gaining unauthorized access to a PostgreSQL database and exploiting a feature that permitted command execution. This breach allowed the attacker to create a superuser role, drop files to eliminate competition, and deploy cryptocurrency miners.
Attack Methodology
Upon breaching the system, the attacker established a new superuser account, ensuring continued access. Subsequently, they stripped the original compromised user of superuser privileges to mitigate potential damage from future incursions. To gather intelligence on the system, the attacker executed various commands aimed at identifying the authentication configuration file, determining the PostgreSQL server version, and running system commands such as uname and whoami.
Utilizing a temporary table, the attacker executed shell commands and stored the output by establishing a TCP connection to a remote server. This connection facilitated the download of two malicious payloads: pg_core and pg_mem. The first payload, pg_core, functions as a cryptominer, while pg_mem serves as a dropper for the XMRIG cryptominer, designed to operate in memory.
Evading Detection
Both payloads incorporate mechanisms to evade detection, including the removal of logs, termination of competing malware processes, and the establishment of persistence through cron jobs. Additionally, the attacker modified the pg_hba configuration file to permit unauthorized connections, further solidifying their foothold within the system.
Widespread Vulnerability
A recent search conducted via Shodan uncovered over 800,000 publicly accessible PostgreSQL databases online, underscoring a significant security risk. This exposure renders these databases susceptible to brute-force attacks and exploitation, highlighting the urgent need for organizations to adopt stringent security measures to safeguard their database servers.
The attackers capitalized on a vulnerability within the PostgreSQL database, aligning with the T1190 technique, which involves exploiting public-facing applications for system compromise. According to AquaSec, this exploitation allowed the attackers to bypass existing security measures and establish a foothold in the target environment.
Persistence and Resource Hijacking
The attacker’s strategy included executing shell commands, creating a new user account with elevated privileges, and manipulating existing user roles to maintain persistence. They scheduled tasks to run malicious scripts, deleted evidence of their activities, and leveraged their elevated privileges to execute commands as a superuser. By successfully guessing the database credentials, the attacker accessed sensitive data and downloaded malicious files from a remote server, utilizing web protocols to establish communication and ultimately commandeering system resources for cryptocurrency mining.
