In a concerning development for the cybersecurity landscape, a new strain of malware has emerged, targeting PostgreSQL-enabled internet-connected devices. This untraceable mining malware, identified as PG_MEM, is capable of infecting approximately 800,000 databases, with a significant concentration in the United States and Poland.
According to a recent blog post by Aqua Security, the malware exploits weak passwords to gain unauthorized access to PostgreSQL databases. Once inside, it installs two files that effectively commandeer the database’s resources, transforming them into a network for cryptocurrency mining. This process not only siphons off computing power but also cleverly conceals its operations to evade detection.
The modus operandi of the attackers involves brute-forcing their way into these databases by guessing passwords, a method that underscores the vulnerabilities associated with poor password management. The installed files not only facilitate mining activities but also create barriers against other potential intruders, ensuring that the compromised databases remain under the control of the original attackers.
Postgres Hacks Are Not Uncommon
Aqua Security highlights a troubling trend: many organizations expose their PostgreSQL databases to the internet, often due to misconfigurations and inadequate identity controls. The blog notes, “This campaign is exploiting internet-facing Postgres databases with weak passwords. This is not a rare issue, and many large organizations suffer from these problems.”
The motivation behind such cryptojacking schemes is clear; by harnessing additional resources, attackers can significantly enhance their chances of mining cryptocurrency blocks, thereby increasing their potential rewards. Alarmingly, the first half of 2024 has seen a staggering 400% rise in such attacks, indicating a growing trend in the exploitation of database vulnerabilities.
