Cybersecurity researchers have unpacked a new malware strain dubbed PG_MEM that’s designed to mine cryptocurrency after brute-forcing their way into PostgreSQL database instances.
“Brute-force attacks on Postgres involve repeatedly attempting to guess the database credentials until access is gained, exploiting weak passwords,” Aqua security researcher Assaf Morag said in a technical report.
“Once accessed, attackers can leverage the COPY … FROM PROGRAM SQL command to execute arbitrary shell commands on the host, allowing them to perform malicious activities such as data theft or deploying malware.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The attack chain observed by the cloud security firm entails targeting misconfigured PostgreSQL databases to create an administrator role in Postgres and exploiting a feature called PROGRAM to run shell commands.
In addition, a successful brute-force attack is followed by the threat actor conducting initial reconnaissance and executing commands to strip the “postgres” user of superuser permissions, thereby restricting the privileges of other threat actors who might gain access through the same method.
The shell commands are responsible for dropping two payloads from a remote server (“128.199.77[.]96”), namely PG_MEM and PG_CORE, which are capable of terminating competing processes (e.g., Kinsing), setting up persistence on the host, and ultimately deploying the Monero cryptocurrency miner.
This is accomplished by making use of a PostgreSQL command called COPY, which allows for copying data between a file and a database table. It particularly weaponizes a parameter known as PROGRAM that enables the server to run the passed command and write the program execution results to the table.
“While [cryptocurrency mining] is the main impact, at this point the attacker can also run commands, view data, and control the server,” Morag said.
“This campaign is exploiting internet facing Postgres databases with weak passwords. Many organizations connect their databases to the internet, weak password is a result of a misconfiguration, and lack of proper identity controls.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data