A sophisticated malware campaign has compromised over 1,500 PostgreSQL servers, utilizing fileless techniques to deploy cryptomining payloads. This attack, uncovered by Wiz Threat Research and linked to the threat actor group JINX-0126, exploits publicly exposed PostgreSQL instances that are configured with weak or default credentials. By taking advantage of these vulnerabilities, the attackers execute XMRig-C3 cryptominers without leaving detectable files on the system.
Fileless Payloads Evade Detection
The campaign showcases advanced evasion tactics, including the deployment of binaries with unique hashes tailored for each target and the fileless execution of the miner payload. These strategies are specifically designed to circumvent traditional security solutions that depend on file hash reputation for detection. Additionally, the attackers assign unique mining worker IDs to each compromised server, complicating detection efforts further.
Analysis of the campaign revealed that the attackers exploit PostgreSQL’s COPY ... FROM PROGRAM function to drop and execute malicious payloads. Once access is gained, they perform system discovery commands such as whoami and uname, followed by deploying a dropper script that eliminates competing cryptominers and installs their own malware.
Technical Details of the Attack
The malware includes a binary named “postmaster,” which mimics legitimate PostgreSQL processes to avoid detection. This binary is packed with obfuscation techniques and encrypted configurations, ensuring its persistence on infected systems. It creates cron jobs for regular execution and modifies PostgreSQL configuration files to block external access while maintaining communication with internal networks. Furthermore, a secondary binary named “cpu_hu” is deployed to carry out cryptomining operations. This binary operates filelessly via memory-based execution, further minimizing its footprint on the compromised systems. Both binaries are customized for each victim, with unique configurations embedded in their code to enhance operational efficiency and evade detection.
Widespread Impact Across Cloud Environments
This campaign underscores the widespread vulnerability of cloud-hosted PostgreSQL instances. Wiz’s research indicates that nearly 90% of cloud environments host PostgreSQL databases, with approximately one-third of these being publicly exposed. Such misconfigurations provide an easy entry point for opportunistic attackers like JINX-0126. By analyzing wallets associated with the campaign on C3Pool, researchers estimated that each wallet had around 550 active mining workers, confirming the extensive scale of the attack across more than 1,500 servers globally.
According to the Report, organizations must implement robust security configurations for their PostgreSQL instances to counter such threats. This includes disabling public exposure and enforcing strong authentication mechanisms. Tools like Wiz Dynamic Scanner can identify exposed instances and detect weak credentials within cloud environments. Additionally, runtime sensors can monitor for suspicious activities indicative of such attacks, from initial exploitation to fileless cryptomining operations. This incident highlights the critical need for proactive database security measures in cloud environments to prevent exploitation by increasingly sophisticated threat actors.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
