Friend
Professional
- Messages
- 2,669
- Reaction score
- 942
- Points
- 113
Just one mistake in the setup will make your server a magnet for attackers.
Cybersecurity researchers have uncovered a new piece of malware called PG_MEM that aims to hack into PostgreSQL databases for cryptocurrency mining. This program uses the brute-force method to brute-force database credentials and then perform malicious actions.
Assaf Morag, a security specialist at AquaSec, explained in his technical report that attacks on PostgreSQL databases begin with repeated attempts to guess credentials using weak passwords. Once successfully compromised, attackers can execute arbitrary shell commands on the server, allowing them to steal data or install malware.
The identified attack chain includes targeting malconfigured PostgreSQL databases to create an admin record and using the PROGRAM function to execute shell commands. After a successful attack, the attackers conduct initial reconnaissance and execute commands to deprive the "postgres" user of root privileges, thereby restricting access to other possible attackers.
Further actions include downloading two malware, PG_MEM and PG_CORE, from the attackers remote server. These programs are designed to complete competing processes such as Kinsing, setting up persistent access on the server, and eventually deploying a Monero cryptocurrency miner.
Malware uses the PostgreSQL COPY command, which is typically designed to copy data between a file and a database table. In this case, the attackers actively use the PROGRAM parameter, which allows the server to run the transmitted commands and write the results of their execution to the database table.
While the main goal of the identified attacks is cryptocurrency mining, at this stage, the attackers can also execute any system commands, view data, and take control of the server. The malicious campaign targets PostgreSQL databases with internet access and weak passwords, which AquaSec believes is the result of misconfiguration and a lack of proper access controls.
Many organizations connect their databases to the Internet, but weak passwords and a lack of identity protection make them vulnerable to such attacks. To protect your systems, experts recommend regularly updating databases, using strong passwords, and restricting access to servers from the Internet.
Source
Cybersecurity researchers have uncovered a new piece of malware called PG_MEM that aims to hack into PostgreSQL databases for cryptocurrency mining. This program uses the brute-force method to brute-force database credentials and then perform malicious actions.
Assaf Morag, a security specialist at AquaSec, explained in his technical report that attacks on PostgreSQL databases begin with repeated attempts to guess credentials using weak passwords. Once successfully compromised, attackers can execute arbitrary shell commands on the server, allowing them to steal data or install malware.
The identified attack chain includes targeting malconfigured PostgreSQL databases to create an admin record and using the PROGRAM function to execute shell commands. After a successful attack, the attackers conduct initial reconnaissance and execute commands to deprive the "postgres" user of root privileges, thereby restricting access to other possible attackers.
Further actions include downloading two malware, PG_MEM and PG_CORE, from the attackers remote server. These programs are designed to complete competing processes such as Kinsing, setting up persistent access on the server, and eventually deploying a Monero cryptocurrency miner.
Malware uses the PostgreSQL COPY command, which is typically designed to copy data between a file and a database table. In this case, the attackers actively use the PROGRAM parameter, which allows the server to run the transmitted commands and write the results of their execution to the database table.
While the main goal of the identified attacks is cryptocurrency mining, at this stage, the attackers can also execute any system commands, view data, and take control of the server. The malicious campaign targets PostgreSQL databases with internet access and weak passwords, which AquaSec believes is the result of misconfiguration and a lack of proper access controls.
Many organizations connect their databases to the Internet, but weak passwords and a lack of identity protection make them vulnerable to such attacks. To protect your systems, experts recommend regularly updating databases, using strong passwords, and restricting access to servers from the Internet.
Source
