Cybersecurity researchers have unpacked a brand new malware pressure dubbed PG_MEM that is designed to mine cryptocurrency after brute-forcing their method into PostgreSQL database cases.
“Brute-force assaults on Postgres contain repeatedly making an attempt to guess the database credentials till entry is gained, exploiting weak passwords,” Aqua security researcher Assaf Morag mentioned in a technical report.
“As soon as accessed, attackers can leverage the COPY … FROM PROGRAM SQL command to execute arbitrary shell instructions on the host, permitting them to carry out malicious actions corresponding to information theft or deploying malware.”
The assault chain noticed by the cloud security agency entails concentrating on misconfigured PostgreSQL databases to create an administrator position in Postgres and exploiting a function referred to as PROGRAM to run shell instructions.
As well as, a profitable brute-force assault is adopted by the menace actor conducting preliminary reconnaissance and executing instructions to strip the “postgres” consumer of superuser permissions, thereby proscribing the privileges of different menace actors who would possibly achieve entry by means of the identical technique.
The shell instructions are chargeable for dropping two payloads from a distant server (“128.199.77[.]96”), specifically PG_MEM and PG_CORE, that are able to terminating competing processes (e.g., Kinsing), organising persistence on the host, and in the end deploying the Monero cryptocurrency miner.
That is achieved by making use of a PostgreSQL command referred to as COPY, which permits for copying information between a file and a database desk. It notably weaponizes a parameter generally known as PROGRAM that allows the server to run the handed command and write this system execution outcomes to the desk.
“Whereas [cryptocurrency mining] is the principle influence, at this level the attacker also can run instructions, view information, and management the server,” Morag mentioned.
“This marketing campaign is exploiting web dealing with Postgres databases with weak passwords. Many organizations join their databases to the web, weak password is a results of a misconfiguration, and lack of correct id controls.”
