An actor’s face is an instrument of depth and expression – a shifting facade that stands guardian to a well of unseen emotions, empathy and, just occasionally, a great lump of malicious binary code.
The code in today’s story is, no surprises, a cryptominer for grinding out Monero cryptocoins, and the face on the photo into which it was inveigled belongs to non other than hollywood star Scarlett Johansson.
Ms Johansson’s picture, and the miner therein, appeared at the denouement of a hacking performance played out for the viewing pleasure of security company Imperva, as part of its StickyDB honeypot project.
Let us begin.
A honeypot is a computer, in our story a database server, deliberately configured to attract the attention of hackers.
To hackers a honeypot looks like a valuable, easily exploited target but it’s actually a stage on which they’re putting on a show, unwittingly, for an audience of boffins eager to see them at work.
Imperva set up a range of database honeypots to learn about:
common database attacks, tools and techniques employed by attackers, how they gain access, what their actions are once inside, what their end goal is and more.
To entice the hackers the company connected their database honeypots to the internet, left them with weak default credentials and hooked them up to vulnerable web applications. Such a feeble configuration doesn’t ring any alarm bells with the hackers because, sadly, it’s not uncommon – in fact it’s exactly what they’re looking for.
And looking for it is easy because, being connected to the internet, the databases could be found using network scanning tools or Shodan, the search engine for internet-connected stuff.
Although Johansson’s picture was the most eye-catching member of the cast, the story also features another famous name – the PostgreSQL database.
PostgresSQL, is a sophisticated and widely used open source database that probably deserves to be more famous than it is. It’s always attracted rave reviews yet never really threatened to eclipse that limelight-hogging starlet, MySQL, as the internet’s favourite database.
According to Imperva the hackers used the photo of Scarlett Johansson to conceal their cryptominer so that it could be hidden in plain site, on a publicly accessible image hosting service.
The hosting service is unlikely to attract suspicion and its a convenient location from which to download the tool when they’ve gained control of a system. Since the hosting service was likely to check that anything uploaded to it is an image the hackers had to give it one.
They chose a picture of the Lost in Translation star and appended their tool to the end, as binary data.
Of course, before they could use the photo-with-a-miner-in-it they had to find and exploit a computer on which to run it.
Enter Imperva’s poorly secured PostgreSQL server.
How the crooks gained entry to their server isn’t revealed, save for that they logged in. Perhaps they plundered some credentials from a compromised web application that uses the database, or perhaps they just used a password guessing script to crack the lock.
What Imperva have revealed is that after gaining entry the hackers used a series of SQL
INSERT statements to construct a binary payload at runtime. That payload, once written to disk as a file, exported a system-like function that could be used to run shell commands.
CREATE FUNCTION command was then used to create a database function that mapped to the do-anything function in the binary payload. With that the crooks could leverage their database access to run commands on the host computer itself.
And what else to do with a server at your mercy than mine some Monero?
The newly minted database function was used to download Ms Johansson’s picture from the file hosting service, using
wget, and the end of the picture that contained the miner sliced off into its own file using
Like any database, PostgreSQL can be poorly setup, but unlike some it isn’t poorly setup by default – you have to try.
PostgreSQL will not simply attach itself to your external network interfaces and make itself visible on the internet – you have to tell it to do that. Needless to say, databases are often full data that’s of enormous importance to employers and customers (and which could soon attract hefty fines if leaked).
Attaching that data directly to the internet is like offering attackers from everywhere as many free hits at it as they care to take.
If you know enough to attach a database to a public IP then you owe it to yourself, and your employer, to understand why that’s almost certainly a bad idea, and to read and understand the PostgreSQL security pages.