Recent Developments in PostgreSQL Attacks
In a concerning trend, over 1,500 PostgreSQL instances exposed to the internet have fallen victim to a sophisticated cryptocurrency mining malware campaign known as JINX-0126. This campaign represents a notable evolution from the earlier PG_MEM malware activities first identified by Aqua Security in August.
According to reports from The Hacker News, attackers are leveraging weak credentials to gain unauthorized access to PostgreSQL servers. Once inside, they exploit the “COPY … FROM PROGRAM SQL” command, which allows for arbitrary command execution and reconnaissance. This initial infiltration paves the way for deploying a shell script that terminates existing cryptominers and subsequently delivers the pg_core binary.
Following this, a Golang binary masquerading as the PostgreSQL multi-user database server, referred to as “postmaster,” is downloaded. This step is crucial for establishing persistence, escalating privileges, and facilitating the download and execution of the latest variant of the XMRig cryptominer.
Wiz researchers have noted that JINX-0126 has significantly advanced its tactics, incorporating defense evasion techniques. These include deploying binaries with unique hashes tailored to each target and executing the miner payload in a fileless manner. Such strategies are designed to circumvent detection by cloud workload protection platforms that rely predominantly on file hash reputation.
As the landscape of cyber threats continues to evolve, it becomes increasingly essential for organizations to bolster their identity security measures and remain vigilant against these sophisticated attack vectors.
