Researchers studying cybersecurity have discovered a new strain of malware called PG_MEM that mines cryptocurrencies by brute forcing its way into PostgreSQL database instances.
A new malware strain known as PG_MEM that mines cryptocurrency after brute-forcing its way into PostgreSQL database instances has been uncovered by cybersecurity researchers. According to a technical paper by Aqua security researcher Assaf Morag, “brute-force attacks on Postgres involve repeatedly attempting to guess the database credentials until access is gained, exploiting weak passwords.” “Once accessed, attackers can leverage the COPY… FROM PROGRAM SQL command to execute arbitrary shell commands on the host, allowing them to perform malicious activities such as data theft or deploying malware.”
The cloud security company saw that the attack chain involved using improperly configured PostgreSQL databases to establish an administrator position in Postgres and taking advantage of a feature known as PROGRAM to execute shell commands. After a successful brute-force attack, the threat actor carries out preliminary reconnaissance and issues instructions to deprive the “postgres” user of superuser permissions, limiting the rights of additional threat actors who could obtain access using the same technique.
The shell instructions are in charge of executing two payloads, PG_MEM and PG_CORE, from a remote server (“128.199.77 [.]96”). These payloads have the ability to end rival processes, like kinsing, establish persistence on the host, and finally launch the Monero cryptocurrency miner. The PostgreSQL command COPY, which enables data copying between a file and a database table, is used to achieve this. It specifically weaponizes the PROGRAM argument, which allows the server to execute the command that is handed in and record the outcomes of the program execution in the database.
The primary effect is cryptocurrency mining, but the attacker can now also examine data, issue commands, and take control of the server, according to Morag. The internet-facing Postgres databases with weak passwords are being exploited by this attack. A weak password can be caused by a misconfiguration; many firms connect their databases to the internet, and inadequate identity measures are present.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
