.webp?w=1600&resize=1600,900&ssl=1 "A Malware Disguise in Postgres Processes to Steal Information")
Cybersecurity researchers at Aqua Nautilus have uncovered a brand new malware named PG_MEM that targets PostgreSQL databases.
This subtle malware employs brute power assaults to achieve entry, hides inside reliable PostgreSQL processes, and finally steals information whereas mining cryptocurrency.
This text delves into the intricate workings of PG_MEM, its assault move, and its implications for database safety.
Understanding PostgreSQL and Brute Pressure Assaults
PostgreSQL, generally referred to as Postgres, is a strong open-source relational database administration system recognized for its flexibility and reliability.
Nevertheless, its reputation additionally makes it a goal for cybercriminals, as per a report by Aqua Nautilus. Brute power assaults on PostgreSQL contain repeatedly making an attempt to guess database credentials till entry is gained, exploiting weak passwords.
As soon as inside, attackers can execute arbitrary shell instructions utilizing the COPY … FROM PROGRAM SQL command, enabling them to carry out malicious actions equivalent to information theft or deploying malware.
The Assault Circulation of PG_MEM
Stage 1: Brute Pressure Assault
The preliminary stage of the PG_MEM assault entails a brute-force try to achieve entry to the PostgreSQL database.
This entails quite a few login makes an attempt till the attacker efficiently guesses the username and password.
As soon as entry is gained, the attacker can execute instructions and manipulate the database setting. Failed Brute Pressure Try
Are You From SOC/DFIR Groups? - Strive Superior Malware and Phishing Evaluation With ANY.RUN -14-day free trial
Stage 2: Gaining Persistence
After gaining entry, the attacker creates a superuser position within the database, permitting them to take care of management and evade detection.
This entails executing SQL instructions to control person roles and privileges, making certain the attacker retains entry whereas limiting others. Making a Superuser Backdoor
Stage 3: System Discovery and Payload Supply
The attacker gathers system info and delivers malicious payloads by exploiting PostgreSQL’s options.
Two recordsdata, together with the PG_Core malware, have been downloaded from the attacker’s distant server and executed to mine cryptocurrency.
The malware is cleverly disguised and executed utilizing encoded instructions to keep away from detection.
The Position of PG_MEM in Cryptocurrency Mining
PG_MEM acts as a dropper for a cryptocurrency miner referred to as XMRIG. As soon as deployed, it optimizes the mining operation by leveraging the system’s assets.
The attacker establishes persistence by creating cron jobs that make sure the continued execution of PG_MEM, thereby sustaining management over the compromised server. Cryptocurrency Mining Configuration
Uncovered PostgreSQL Servers: A Rising Concern
The invention of PG_MEM highlights the vulnerability of uncovered PostgreSQL servers. A search on Shodan, a search engine for Web-connected gadgets, revealed over 800,000 publicly accessible PostgreSQL databases.
This underscores the pressing want for sturdy safety measures to guard in opposition to such assaults. Uncovered PostgreSQL Servers on Shodan
The PG_MEM assault aligns with a number of strategies outlined within the MITRE ATT&CK framework.
These embrace exploiting public-facing purposes, command and scripting interpreter execution, account manipulation, and useful resource hijacking. Understanding these strategies can assist develop efficient protection methods.
Organizations should undertake a defense-in-depth strategy to safeguard in opposition to PG_MEM and related threats.
This consists of implementing robust password insurance policies, common safety audits, and utilizing runtime detection and response instruments like Aqua’s Runtime Safety.
Such instruments can detect suspicious conduct in real-time, offering essential insights into potential vulnerabilities.
The PG_MEM malware, combining information theft with cryptocurrency mining, represents a complicated menace to PostgreSQL databases.
As cyber threats proceed to evolve, organizations should improve their safety measures to make sure that their databases stay protected in opposition to malicious actions.
By understanding the ways employed by attackers and implementing sturdy defenses, companies can safeguard their vital information and preserve operational integrity.
Shield Your Enterprise with Cynet Managed All-in-One Cybersecurity Platform – Strive Free Trial