We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

NewApp Digest
search bot

Thousands of PostgreSQL servers are being hijacked to mine crypto

April 2, 2025

Researchers at Wiz have identified a new cryptojacking campaign that has successfully targeted over 1,500 misconfigured PostgreSQL servers. This campaign, attributed to a group referred to as JINX-0126, exploits weak and easily guessable login credentials to gain unauthorized access to these databases.

Upon infiltrating the servers, the attackers deploy a variant of the notorious XMRig miner, specifically the XMRig-C3. This particular cryptominer is favored for its ability to mine Monero, a cryptocurrency known for its enhanced privacy features, making it significantly harder to trace compared to Bitcoin and other currencies.

Mining Monero

The deployment of a cryptocurrency miner consumes nearly all available computing resources on the infected device, rendering it nearly unusable for legitimate tasks. This excessive resource consumption leads to a notable increase in electricity usage, ultimately resulting in inflated utility bills for the victims. Meanwhile, cybercriminals benefit by receiving Monero directly into their wallets, which they can subsequently convert into US dollars or other cryptocurrencies. Often, these funds are reinvested into further malicious activities.

Wiz’s analysis indicates that this campaign has evolved since its initial documentation by Aqua Security researchers. The threat actors have reportedly implemented additional defensive measures and are now deploying the miner in a fileless manner, enhancing their ability to evade detection.

Interestingly, the researchers noted that each victim is assigned a unique mining worker, allowing for straightforward tracking of compromised devices. Their findings suggest that the campaign has likely affected more than 1,500 devices, highlighting a concerning trend: misconfigured PostgreSQL instances are alarmingly prevalent, presenting an easy target for opportunistic attackers.

Moreover, data from Wiz indicates that nearly 90% of cloud environments host PostgreSQL instances, with approximately one-third of these instances being publicly accessible on the internet. This situation underscores the urgent need for organizations to bolster their security measures and ensure proper configuration of their database systems.

Tech Optimizer
Thousands of PostgreSQL servers are being hijacked to mine crypto