Cybersecurity researchers at Aqua Nautilus have recently identified a sophisticated malware strain known as PG_MEM, specifically targeting PostgreSQL databases. This malware employs brute force techniques to infiltrate systems, camouflages itself within legitimate PostgreSQL processes, and ultimately facilitates data theft while simultaneously mining cryptocurrency. The following sections explore the intricate mechanisms of PG_MEM, its attack flow, and the broader implications for database security.
Understanding PostgreSQL and Brute Force Attacks
PostgreSQL, often referred to as Postgres, is a widely-used open-source relational database management system celebrated for its flexibility and reliability. However, its popularity renders it an attractive target for cybercriminals, as highlighted in a report by Aqua Nautilus. Brute force attacks on PostgreSQL involve relentless attempts to guess database credentials, exploiting weak passwords until access is achieved. Once inside, attackers can execute arbitrary shell commands using the COPY … FROM PROGRAM SQL command, enabling a range of malicious activities, including data theft and malware deployment.
The Attack Flow of PG_MEM
Stage 1: Brute Force Attack
The initial phase of the PG_MEM attack is characterized by a brute-force effort to breach the PostgreSQL database. This stage involves numerous login attempts until the attacker successfully guesses the username and password. Upon gaining access, the attacker can execute commands and manipulate the database environment.
Stage 2: Gaining Persistence
Once access is secured, the attacker creates a superuser role within the database, ensuring continued control and evasion of detection. This process involves executing SQL commands to manipulate user roles and privileges, allowing the attacker to maintain access while restricting others.
Stage 3: System Discovery and Payload Delivery
In this stage, the attacker collects system information and delivers malicious payloads by leveraging PostgreSQL’s features. Two files, including the PG_Core malware, are downloaded from the attacker’s remote server and executed to mine cryptocurrency. The malware is cleverly disguised and executed using encoded commands to evade detection.
The Role of PG_MEM in Cryptocurrency Mining
PG_MEM functions as a dropper for a cryptocurrency miner known as XMRIG. Once deployed, it optimizes mining operations by utilizing the system’s resources. The attacker establishes persistence by creating cron jobs that ensure the continuous execution of PG_MEM, thereby maintaining control over the compromised server.
Exposed PostgreSQL Servers: A Growing Concern
The emergence of PG_MEM underscores the vulnerabilities associated with exposed PostgreSQL servers. A search on Shodan, a search engine for Internet-connected devices, revealed over 800,000 publicly accessible PostgreSQL databases. This alarming statistic highlights the urgent necessity for robust security measures to defend against such attacks.
The PG_MEM attack aligns with various techniques outlined in the MITRE ATT&CK framework, including exploiting public-facing applications, executing command and scripting interpreters, manipulating accounts, and hijacking resources. Understanding these techniques is crucial for developing effective defense strategies.
Organizations must adopt a defense-in-depth approach to protect against PG_MEM and similar threats. This strategy includes implementing strong password policies, conducting regular security audits, and utilizing runtime detection and response tools like Aqua’s Runtime Protection. Such tools can identify suspicious behavior in real-time, offering vital insights into potential vulnerabilities.
As cyber threats continue to evolve, the PG_MEM malware, which combines data theft with cryptocurrency mining, presents a sophisticated challenge to PostgreSQL databases. By comprehending the tactics employed by attackers and reinforcing defenses, organizations can protect their critical data and maintain operational integrity.
Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial
