A picture got my PostgreSQL database to start mining Monero
We just saw an interesting attack technique applied to one of our PostgreSQL servers. After logging into the database, the attacker continued to create different payloads, implement evasion techniques through embedded binaries in a downloaded image, extract payloads to disk and trigger remote code execution of these payloads. Like so many attacks we’ve witnessed lately, it ended up with the attacker utilizing the server’s resources for cryptomining Monero.
As if this wasn’t enough, the attack vector was a picture of Scarlett Johannsson. Alright then. Let’s take a deep dive into the attack!