Attackers Deliver Cryptominer to PostgreSQL Servers as Scarlett Johansson Pic

Security researchers have come across an attack against PostgreSQL servers that installs cryptominer malware that’s hidden in a picture of actress Scarlett Johansson.

The unusual attack was captured in a honeypot by researchers from security firm Imperva, who intentionally left their database exposed. However, there are 710,000 PostgreSQL servers that are directly accessible from the internet—this is not recommended practice—and which could be susceptible to brute-force attacks.

AWS Builder Community Hub

Once inside the database, the attackers observed by Imperva used a modified Metasploit module for interacting with PostgreSQL to execute shell commands on the underlying server. The goal of the changes was to evade detection by some database audit monitoring (DAM) solutions that monitor privileged operations attempts like calls to the lo_export function.

After gaining the ability to execute system commands, the attackers performed some reconnaissance to determine the server’s GPU and CPU. This is useful information to have when you plan to mine cryptocurrency on a machine.

Following the information gathering steps, researchers observed something unusual: The attackers downloaded an image from a popular file hosting website that, when opened, turned out to be a picture of Scarlett Johansson. On closer inspection, it was discovered that the file had a binary payload appended to it.

The attackers used the Linux dd command to extract the binary, set its permissions and execute it, all through SQL operations. This launched a Monero mining program on the machine.

The wallet address used by the hackers has collected 312 Monero coins so far, which are valued at more than $90,000. This suggests the attackers have successfully compromised multiple servers.

But why would attackers embed their malware into a picture? It turns out that despite this being an old and well-known technique, it can still trick many security products. When the Imperva researchers uploaded the image to the VirusTotal service, only three antivirus programs detected it as malicious, but when they uploaded the embedded cryptominer alone, it was detected by 18 antivirus engines.

“Using this trick of appending binary code to legit files (images, documents) to create such a mutated file is a really old-school method, but it still bypasses most of the antiviruses, which is shocking,” the Imperva researchers said in a blog post.

Intel Strengthens Upcoming CPUs Against Spectre-Like Attacks

Intel’s future CPUs will contain a new set of hardware features that will allow operating systems to protect themselves against attacks that attempt to take advantage of the processor’s speculative execution.

“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3 [Spectre and Meltdown],” Intel CEO Brian Krzanich said in a blog post. “Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors.”

The new protections will be introduced in the next generation of Intel Xeon processors code-named Cascade Lake, as well as in the 8th Generation Intel Core processors that are expected to be released later this year.

Krzanich also noted that Intel has published microcode updates that mitigate the Spectre side-channel attack for all processors released over the past five years. The new “protective walls” introduced in the next generation of CPUs are just one of the steps the company will take as part of its Security-First pledge announced in January, he said.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin