Why Photo Scarlett Johansson made PostgresSQL Mine Monero
As part of the campaign to protect the data of our customers, we in Imperva talk about different methods of attacks on the database. If you are not familiar with our research project StickyDB, read past articles: Part I and Part II . It describes a device for a network of hanipots (Fig. 1), which lures intruders to attack our databases, so that we can study their methods and improve protection.
Fig. 1. Network environment of StickyDB hanipot
We recently discovered an interesting technique during the attack of one of the PostgreSQL servers. After entering the database, the attacker continued to create payloads from the built-in binaries in the downloaded images, save payloads to the disk and run them. As often happens lately, the attacker seized the resources of the server for mining Monero. As if this is not enough, the attack vector was a photograph of Scarlett Johansson . Well then fine. Let's figure out how it works!
Like other popular databases, there is a metasploit module for PostgreSQL that facilitates interaction with the OS. The standard method is used here - creating payloads at run time by dumping the binary to disk using the lo_export function. One small change in the module is to introduce the lo_export function as an entry in the pg_proc directory instead of a direct call. This is done to avoid detection by some database audit monitoring systems (DAM), which closely monitor privileged operations like lo_export . Thus, obj6440002537 is essentially an indirect call to lo_export (Fig. 2).
')
Fig. 2. Evasion technique through indirect challenge lo_export
Now an attacker can run local system commands with one simple function
So what are the next attack steps? A little intelligence. The hacker begins by obtaining information about the GPU by executing the lshw -c video command, and then cat / proc / cpuinfo , in order to obtain information about the processor (Figure 3-4). Although it seems strange at first glance, such a check makes sense if the final goal is to get more of your favorite cryptocurrency, right?
Fig. 3. View GPU information
Fig. 4. View CPU information
To date, the attacker has gained access to the database, established a channel for remote code execution, and also bypassed DAM solutions and learned about the details of the system. Now everything is ready to ... upload a photo of Scarlett Johansson ?! Wait WHAT?
I must say, the attackers are showing more and more creativity.
In this case, the attackers wanted to download a new sample of malicious code, so they placed it on the usual free photo hosting site imagehousing.com . However, the payload must be in binary format. If you simply rename the binary to the .PNG format, the file will not pass validation when uploading to a photo hosting site as an invalid image that cannot be viewed. Instead of renaming the file, the attacker added a malicious binary code to a real photo of the beautiful Scarlett Johansson (Fig. 5). So the download passes successfully - the image is viewable, it seems benign, and the payload is still there.
Fig. 5. Payload. When opened, it looks like a regular image. Do not worry - the picture is clean here, that's for sure!
See the binary code? He is right under her left elbow! :)
We reported imagehousing.com about the problem - and the image was deleted.
So, to download an image ( art-981754.png ) with a payload was easy for the wget team. Extraction of the executable file from the photo is done with the command dd (data duplicator). Then set permissions to execute, in fact, full permissions ( chmod 777 ) for the created file x4060014400 . The final step is to run this newly retrieved payload.
Fig. 6: How to download a picture using SQL tools, extract a binary and execute it
The file x4060014400 creates another binary with the name s4060014400 . His task is to mine Monero (XMR) in the pool https://monero.crypto-pool.fr/ , IP 163.172.226.218 (Fig. 7). To this address, Monero currently lists over 312.5 XMRs worth more than $ 90,000:
4BBgotjSkvBjgx8SG6hmmhEP3RoeHNei9mz2iqwhws8wefvwuvi6keplwdfnx6guiq5451fv2soxod7rhzqhqtvbdtfl8xs
Fig. 7. SQL statement to start mining Monero
Of course, when it's done, you need to cover up the tracks.
Fig. 8. Cleaning traces
From the point of view of the attacker - mission accomplished!
Using Google's VirusTotal, we checked how almost 60 antiviruses react to three different forms of crypto miner in this attack: the URL where the malicious image was located, the image file itself and the crypto miner. Results:
Fig. 9. One antivirus responded to malicious URL
Fig. 10. Three antiviruses reacted to the malicious image.
Fig. 11. Eighteen antiviruses discovered cryptominer
The trick with adding a binary to normal files (images, documents) is a very old method, but it still allows you to bypass most antiviruses. This is really a shocking fact.
Creating such a mutant file is trivial in one line:
Linux: cat myExecutableFile >> myImageFile.png
Windows: type myExecutableFile.exe >> myImageFile.png
You can find PostgreSQL instances on domains using detection tools, such as Nmap , if the attacker is already inside the local network. But is it possible to find simpler targets? What about PostgreSQL bases open to the outside world? It is known that it is not recommended to do this, but are there such databases? Well ... actually, yes, at least 710,000 of them are hosted on AWS in a bunch (Fig. 12). And find them elementary through Shodan . So an attacker can easily get a list, run a brute force password for the default postgres user, log in and use some of the methods described.
Fig. 12. 710 thousand PostgreSQL instances with open IP addresses. Illustration: shodan.io
In the next article in this series, we will discuss other attacks. The last article will be about protection, but here are some quick tips on how to avoid this threat:
Fig. 1. Network environment of StickyDB hanipot
We recently discovered an interesting technique during the attack of one of the PostgreSQL servers. After entering the database, the attacker continued to create payloads from the built-in binaries in the downloaded images, save payloads to the disk and run them. As often happens lately, the attacker seized the resources of the server for mining Monero. As if this is not enough, the attack vector was a photograph of Scarlett Johansson . Well then fine. Let's figure out how it works!
Remote code execution and DAM protection bypass
Like other popular databases, there is a metasploit module for PostgreSQL that facilitates interaction with the OS. The standard method is used here - creating payloads at run time by dumping the binary to disk using the lo_export function. One small change in the module is to introduce the lo_export function as an entry in the pg_proc directory instead of a direct call. This is done to avoid detection by some database audit monitoring systems (DAM), which closely monitor privileged operations like lo_export . Thus, obj6440002537 is essentially an indirect call to lo_export (Fig. 2).
')
Fig. 2. Evasion technique through indirect challenge lo_export
OK, your database is in control. And what is your GPU?
Now an attacker can run local system commands with one simple function
fun6440002537 . This SQL function is a wrapper for calling a C function sys_eval , a small exported function in tmp406001440 (a binary file based on sqlmapproject ), which is usually used as a proxy for invoking shell commands.So what are the next attack steps? A little intelligence. The hacker begins by obtaining information about the GPU by executing the lshw -c video command, and then cat / proc / cpuinfo , in order to obtain information about the processor (Figure 3-4). Although it seems strange at first glance, such a check makes sense if the final goal is to get more of your favorite cryptocurrency, right?
Fig. 3. View GPU information
Fig. 4. View CPU information
To date, the attacker has gained access to the database, established a channel for remote code execution, and also bypassed DAM solutions and learned about the details of the system. Now everything is ready to ... upload a photo of Scarlett Johansson ?! Wait WHAT?
Malware under the guise of pictures of Scarlett Johansson
I must say, the attackers are showing more and more creativity.
In this case, the attackers wanted to download a new sample of malicious code, so they placed it on the usual free photo hosting site imagehousing.com . However, the payload must be in binary format. If you simply rename the binary to the .PNG format, the file will not pass validation when uploading to a photo hosting site as an invalid image that cannot be viewed. Instead of renaming the file, the attacker added a malicious binary code to a real photo of the beautiful Scarlett Johansson (Fig. 5). So the download passes successfully - the image is viewable, it seems benign, and the payload is still there.
Fig. 5. Payload. When opened, it looks like a regular image. Do not worry - the picture is clean here, that's for sure!
See the binary code? He is right under her left elbow! :)
We reported imagehousing.com about the problem - and the image was deleted.
From uploading images to crypto-mining
So, to download an image ( art-981754.png ) with a payload was easy for the wget team. Extraction of the executable file from the photo is done with the command dd (data duplicator). Then set permissions to execute, in fact, full permissions ( chmod 777 ) for the created file x4060014400 . The final step is to run this newly retrieved payload.
Fig. 6: How to download a picture using SQL tools, extract a binary and execute it
The file x4060014400 creates another binary with the name s4060014400 . His task is to mine Monero (XMR) in the pool https://monero.crypto-pool.fr/ , IP 163.172.226.218 (Fig. 7). To this address, Monero currently lists over 312.5 XMRs worth more than $ 90,000:
4BBgotjSkvBjgx8SG6hmmhEP3RoeHNei9mz2iqwhws8wefvwuvi6keplwdfnx6guiq5451fv2soxod7rhzqhqtvbdtfl8xs
Fig. 7. SQL statement to start mining Monero
Of course, when it's done, you need to cover up the tracks.
Fig. 8. Cleaning traces
From the point of view of the attacker - mission accomplished!
Do antiviruses react to these malicious photos?
Using Google's VirusTotal, we checked how almost 60 antiviruses react to three different forms of crypto miner in this attack: the URL where the malicious image was located, the image file itself and the crypto miner. Results:
- URL: one antivirus responded (fig. 9)
- Image file: three antiviruses warned about a hidden cryptomaner (Fig. 10)
- Extracted crypto liner: detected by 18 antiviruses (Fig. 11)
Fig. 9. One antivirus responded to malicious URL
Fig. 10. Three antiviruses reacted to the malicious image.
Fig. 11. Eighteen antiviruses discovered cryptominer
The trick with adding a binary to normal files (images, documents) is a very old method, but it still allows you to bypass most antiviruses. This is really a shocking fact.
Creating such a mutant file is trivial in one line:
Linux: cat myExecutableFile >> myImageFile.png
Windows: type myExecutableFile.exe >> myImageFile.png
How does an attacker find a PostgreSQL database?
You can find PostgreSQL instances on domains using detection tools, such as Nmap , if the attacker is already inside the local network. But is it possible to find simpler targets? What about PostgreSQL bases open to the outside world? It is known that it is not recommended to do this, but are there such databases? Well ... actually, yes, at least 710,000 of them are hosted on AWS in a bunch (Fig. 12). And find them elementary through Shodan . So an attacker can easily get a list, run a brute force password for the default postgres user, log in and use some of the methods described.
Fig. 12. 710 thousand PostgreSQL instances with open IP addresses. Illustration: shodan.io
In the next article in this series, we will discuss other attacks. The last article will be about protection, but here are some quick tips on how to avoid this threat:
- Watch for lo_export direct calls or indirect calls through pg_proc entries .
- Beware of the features that access binaries in C (as in Figure 2).
- Use a firewall to block outgoing network traffic from the database to the Internet.
- Make sure your database is not assigned a public IP address. If so, restrict access only to hosts that interact with the database (application server or DBA clients).
Source: https://habr.com/ru/post/351452/
All Articles