Cybersecurity researchers have unpacked a brand new malware pressure dubbed PG_MEM that is designed to mine cryptocurrency after brute-forcing their manner into PostgreSQL database situations.
“Brute-force assaults on Postgres contain repeatedly making an attempt to guess the database credentials till entry is gained, exploiting weak passwords,” Aqua safety researcher Assaf Morag mentioned in a technical report.
“As soon as accessed, attackers can leverage the COPY … FROM PROGRAM SQL command to execute arbitrary shell instructions on the host, permitting them to carry out malicious actions akin to information theft or deploying malware.”
The assault chain noticed by the cloud safety agency entails focusing on misconfigured PostgreSQL databases to create an administrator function in Postgres and exploiting a function known as PROGRAM to run shell instructions.
As well as, a profitable brute-force assault is adopted by the risk actor conducting preliminary reconnaissance and executing instructions to strip the “postgres” consumer of superuser permissions, thereby proscribing the privileges of different risk actors who would possibly acquire entry by way of the identical technique.
The shell instructions are chargeable for dropping two payloads from a distant server (“128.199.77[.]96”), specifically PG_MEM and PG_CORE, that are able to terminating competing processes (e.g., Kinsing), organising persistence on the host, and finally deploying the Monero cryptocurrency miner.
That is achieved by making use of a PostgreSQL command known as COPY, which permits for copying information between a file and a database desk. It significantly weaponizes a parameter generally known as PROGRAM that permits the server to run the handed command and write this system execution outcomes to the desk.
“Whereas [cryptocurrency mining] is the principle influence, at this level the attacker may run instructions, view information, and management the server,” Morag mentioned.
“This marketing campaign is exploiting web dealing with Postgres databases with weak passwords. Many organizations join their databases to the web, weak password is a results of a misconfiguration, and lack of correct id controls.”