The brand new PG_MEM malware targets PostgreSQL databases, exploiting weak passwords to ship payloads and mine cryptocurrency. Researchers warn that 800,000 publicly accessible situations are susceptible. Learn the way this multi-stage assault works and shield your PostgreSQL atmosphere.
Aqua Safety’s risk analysis group, Nautilus, has found PG_MEM, a brand new malware that may infiltrate PostgreSQL databases, ship payloads, and mine cryptocurrency.Â
PostgreSQL, often known as Postgres, is an open-source relational database administration system researchers noticed as prone to brute power assaults. These assaults exploit weak passwords ensuing from misconfiguration or inadequate id controls, a standard situation in giant organizations.
This, in accordance with the corporate’s weblog publish, permits them to realize entry to the database and execute arbitrary shell instructions by leveraging the COPY … FROM PROGRAM command, resulting in malicious actions like information theft or malware deployment.Â
Nautilus researchers recognized 800,000 publicly accessible situations of PostgreSQL databases as susceptible to this malware. The last word objective of the assault is to deploy cryptocurrency miners to use system sources.
The PG_MEM malware employs a multi-stage assault move to compromise PostgreSQL databases and deploy cryptocurrency miners. It begins with the attacker initiating a brute power assault on the PostgreSQL database, repeatedly making an attempt to guess the database credentials. As soon as this will get executed, attackers create a brand new superuser function with excessive privileges. This permits them to take care of entry to the database even when the unique credentials are modified.
Now, the attacker gathers details about the system, such because the PostgreSQL server model and configuration to establish potential vulnerabilities and tailor the assault accordingly. The attacker downloads malicious payloads from a distant server, which usually consists of cryptocurrency mining software program and instruments for persistence and evasion.
Researchers famous that two recordsdata are downloaded from the attacker’s distant server, with the primary block of instructions aimed toward delivering the primary payload. They used a short lived desk to retailer code and information, clearing it earlier than and after every command. As quickly because the payloads are downloaded on the compromised system, the cryptocurrency mining software program begins to eat system sources to mine cryptocurrency.
The attacker takes steps to make sure persistence, similar to creating cron jobs or modifying system configuration recordsdata, which helps the malware to proceed working even after the system is restarted. Furthermore, they evade detection by deleting recordsdata and logs associated to their malicious exercise.
That is regarding as PostgreSQL databases are generally used for net, cell, geospatial, and analytics purposes. To guard PostgreSQL environments, organizations ought to monitor for suspicious exercise, implement sturdy authentication utilizing strong passwords and multi-factor authentication, isolate databases from the community, and use safety instruments to promptly detect and forestall malicious exercise.
