New Malware PG_MEM Targets PostgreSQL Databases for Crypto Mining

New Malware PG_MEM Targets PostgreSQL Databases for Crypto Mining

August 22, 2024 at 12:48AM

Cybersecurity researchers have discovered a new malware, PG_MEM, targeting PostgreSQL databases. The malware mines cryptocurrency by brute-forcing its way into the databases and exploiting weak passwords. It subsequently deploys malicious activities and a cryptocurrency miner. The attack underscores the risks of misconfigured and weakly protected internet-facing databases.

Key Takeaways from the Meeting Notes:

1. A new malware strain named PG_MEM has been identified, designed to mine cryptocurrency by brute-forcing its way into PostgreSQL database instances.
2. Brute-force attacks on Postgres involve repeated attempts to guess the database credentials until access is gained, exploiting weak passwords.
3. Once access is gained, attackers can execute arbitrary shell commands on the host, allowing for malicious activities such as data theft or deploying malware.
4. The attack chain involves targeting misconfigured PostgreSQL databases to create an administrator role and exploiting a feature called PROGRAM to run shell commands.
5. Successful brute-force attacks are followed by initial reconnaissance and executing commands to strip the “postgres” user of superuser permissions.
6. The attack drops two payloads from a remote server, PG_MEM and PG_CORE, capable of terminating competing processes, setting up persistence on the host, and deploying the Monero cryptocurrency miner.
7. The attack exploits a PostgreSQL command called COPY to execute shell commands and write the results to the table.
8. The attacker has the ability to run commands, view data, and control the server due to weak passwords and misconfigured internet facing Postgres databases.

Let me know if there’s anything else you need assistance with!

Full Article