PostgreSQL is a powerful, open-source relational database management system (RDBMS). Because of its robustness and scalability, PostgreSQL is used extensively in the cloud. Most public cloud providers including AWS, Azure and GCP provide database services to their customers based on PostgreSQL.

According to Google’s January 2023 Threat Horizons report, PostgreSQL is one of the most targeted applications in compromises of Google customers, placing third in frequency (17%) behind SSH (26%) and Jenkins (22%). Weak passwords continue to be the most common vector in the initial access, playing a role in 41% of observed compromises. Attackers are often on the lookout for poorly configured or unsecure PostgreSQL instances deployed in the cloud, Kubernetes or on-premises infrastructure.

Many opportunistic cryptojacking threat actors, including TeamTNT and Kinsing, have targeted misconfigured PostgreSQL instances to mine cryptocurrency. This blog takes a look at the most popular misconfigurations exploited by these adversaries.

PostgreSQL Misconfiguration Allows Cryptojacking

Common PostgreSQL services hosted by cloud service providers (such as Amazon RDS for PostgreSQL, Azure Database for PostgreSQL or GCP Cloud SQL for PostgreSQL) do not allow customization of authentication controls that could lead to this abuse, but when PostgreSQL is deployed manually, many misconfigurations in authentication methods, user roles, access and permissions could occur that may create exploitable exposures.

PostgreSQL supports multiple authentication methods when deployed manually. Of them, “trust” authentication is the most insecure and provides access without the need for any password, which is likely why cryptomining groups like to target PostgreSQL cloud instances with authentication type “trust” enabled. There are two ways in which “trust” authentication can be enabled:

1. Using a pg_hba.conf
2. Using the environment variable POSTGRES_HOST_AUTH_METHOD=trust

On Figure 1 shows “trust” authentication using pg_hba.confwhere any user from any IP can connect to the PostgreSQL server without a password. The username could be a superuser name, in which case the attacker would inherit all of the privileges of a PostgreSQL superuser.

Figure 1. Insecure pg_hba.conf file

“Trust” authentication can also be enabled by setting the environment variable POSTGRES_HOST_AUTH_METHOD=trust inside a Kubernetes pod or a server. Once set, any IP or user can connect to the database without a password.

Additionally, “trust” authentication combined with risky PostgreSQL user default roles (noted below) provides a perfect opportunity for attackers to abuse databases to read or write sensitive files on the filesystem, modify the configuration and escalate privileges.

1. pg_read_server_files (allows OS file reads)
2. pg_write_server_files (allows OS file writes)
3. pg_execute_server_program (allows OS binary to execute)

In an attack on misconfigured PostgreSQL, a remote attacker can authenticate as a superuser or user having the right roles — pg_execute_server_program enables them to download and run suspicious files to mine cryptocurrency. Figure 2.A shows attackers using the COPY command to download and run xmrig, which mines digital currency like Monero; figure 2.B shows the xmrig, process running inside a container successfully mining the currency.

Figure 2.A. An attacker using the COPY command to download and run xmrig

Figure 2.B. Xmrig mining cryptocurrency by remotely accessing misconfigured PostgreSQL

As another example, Figures 3.A and 3.B show how misconfigured PostgreSQL can be used to list any sensitive file without the use of any suspicious tools. Once an attacker has a foothold into the PostgreSQL service, they can set cron jobs to get a reverse shell, escalate privileges to the container root and pivot to attack the Kubernetes host, API or cloud provider’s API to escalate and take over a Kubernetes cluster or cloud account.

Figure 3.A. An attacker using the COPY command to read sensitive files in /etc /passwd

Figure 3.B. The results of an attacker using the COPY command to read sensitive files

CrowdStrike Detection and Protection

The Falcon platform unifies cloud security to deliver comprehensive protection to its customers from any attacks on Kubernetes, cloud or hybrid infrastructure.

The Falcon platform, with its machine learning models, detects and prevents runtime threats to the cloud, Kubernetes or serverless infrastructure. In the example shown in Figure 4.A, the Falcon platform identifies and detects the child process of PostgreSQL trying to download and launch the xmrig miner in a container. Figure 4.B shows the Falcon platform identifying and killing the malicious process early in the kill chainwhen a malicious file was being downloaded. Figure 4.C shows Falcon platform detecting PostgreSQL mis-configuration at runtime.

Figure 4.A. The Falcon platform detecting and alerting on each stage of the kill chain

Figure 4.B. The Falcon platform killing the wget process that is used to download malware

Figure 4.C. The Falcon platform detecting an insecure PostgreSQL configuration using the environment variable (click to enlarge)

The Falcon platform takes a defense-in-depth approach to protecting customers by leveraging incoming telemetry to power detection and provide real-time mitigation. It includes the following indicators, which are used to detect cryptojacking attempts like the ones discussed:

1. Container drift prevention
2. Rogue container running on your Docker instance
3. Misconfigured Kubernetes or Docker instance

Public cloud managed services for PostgreSQL are not vulnerable to this misconfiguration. CrowdStrike Falcon Horizon cloud security posture management enables DevOps practitioners to keep applications like PostgreSQL secure by proactively monitoring, identifying misconfigurations and ensuring compliance in the public cloud infrastructure. The following table is a list of Falcon Horizon indicators of misconfigurations (IOMs) for PostgreSQL that help identify security gaps.

MITRE for Defending Infrastructure as a Service (IaaS)

Crowdstrike has teamed up with MITRE Engenuity Center for Threat-Informed Defenseto develop ATT&CK Defense for IaaS. This project’s goal was to develop effective methods and strategies for defending against adversaries attacking IaaS across the cloud, containers and Linux aaS. Because the most popular technique used by attackers to get initial access into cloud infrastructure is to exploit a public-facing application like postgreSQL, it’s paramount to assess the internet exposure of your enterprise application and subsequently follow best practices to secure them.

Best Practices for Securing PostgreSQL

Securing a PostgreSQL workload requires a combination of good configuration practices and regular monitoring. Here are some general guidelines for securely deploying PostgreSQL in cloud and Kubernetes environments:

1. Use the latest version of PostgreSQL and install necessary patches.
2. Use a strong password when using password-based authentication methods.
3. Apply appropriate permission to secure configuration files like pg_hba.conf.
4. Enable SSL/TLS to secure the connection between the client and the PostgreSQL service.
5. Audit users and their security roles and follow the principle of least privilege.
6. Use Kubernetes namespace’d secrets.
7. Run the PostgreSQL service as a non-root user, which will add an additional layer of defense in case of compromise.
8. Limit the container resources available to the PostgreSQL service to an estimate.
9. Monitor hosts and containers for any malicious activity.
10. Use a Zero Trust mechanism to allow required access to the service in the cluster.
11. Use a proactive security solution to identify misconfiguration and vulnerabilities

Summary

Securing PostgreSQL, a popular cloud-based application, is crucial for preventing attacks on your infrastructure. Misconfigurations in PostgreSQL can serve as an entry point for attackers, as seen in cases where cryptojacking groups have taken advantage of such vulnerabilities to mine cryptocurrency for profit. To protect against such breaches, it is important to follow best practices for securing PostgreSQL, actively monitor for misconfigurations and maintain a strong overall security posture.

One of the ways to achieve this is by using a comprehensive cloud security platform such as CrowdStrike’s adversary-focused cloud-native application protection platform (CNAPP), which offers a combination of runtime security and proactive measures, including assessments for IOMs and indicators of attack (IOAs) as well as compliance checks. It also detects and prevents breaches by various types of actors, including cryptojacking hacktivists, eCrime groups and nation-state actors, providing a complete and robust solution for securing your cloud infrastructure.

It is necessary to remind that iIT Distribution provides distribution and promotion of CrowdStrike solutions in Ukraine, Kazakhstan, Uzbekistan, and Georgia and provides professional support in their design and implementation. We always provide the necessary level of information support to our partners and customers for each product, and our experts are ready to advise on any issues related to improving the efficiency of your IT infrastructure and protecting it.