"The first stage is a simple brute force attack. We observe several login attempts to the PostgreSQL database being refused until the brute force attack successfully guesses the honeypot’s username and password (which were intentionally set to be easy to guess)."
After the threat actor successfully guess the user and password, the attack sequence commenced. The following set of SQL commands, were executed: ... "
The first command being creating a role with SUPERUSER privileges which depends the hacked role being a SUPERUSER itself.
So the solution is basic practices:
1) Don't expose the database anymore then necessary. It other words keep access to the instance as restricted as possible, e.g. behind firewall.
Besides deny-by-default firewalls, be strict with pg_hba.conf entries.
