CyberSecurity news
FlagThis
SC Staff@scmagazine.com
//
An ongoing cryptomining campaign, attributed to the threat actor JINX-0126, has successfully compromised over 1,500 internet-exposed PostgreSQL servers. Attackers are exploiting instances with weak credentials, allowing them to deploy XMRig-C3 cryptocurrency miners using fileless techniques. This campaign is an evolution of the PG_MEM malware activity, initially detected in August, and demonstrates sophisticated evasion tactics. These include deploying binaries with unique hashes per target and executing the miner payload filelessly.
Cloud security firm Wiz, has identified that attackers are abusing the "COPY ... FROM PROGRAM SQL" command to execute arbitrary shell commands. Once authenticated, attackers conduct reconnaissance, deploy a shell script to eliminate competing cryptominers, and deliver the pg_core binary. A Golang binary called "postmaster" is also downloaded, enabling persistence, privilege escalation, and the execution of a new XMRig cryptominer variant, highlighting the risks of weak PostgreSQL configurations in cloud environments. This campaign could have leveraged over 1,500 compromised machines.
ImgSrc: files.cyberrisk
References :
Cloud security firm Wiz, has identified that attackers are abusing the "COPY ... FROM PROGRAM SQL" command to execute arbitrary shell commands. Once authenticated, attackers conduct reconnaissance, deploy a shell script to eliminate competing cryptominers, and deliver the pg_core binary. A Golang binary called "postmaster" is also downloaded, enabling persistence, privilege escalation, and the execution of a new XMRig cryptominer variant, highlighting the risks of weak PostgreSQL configurations in cloud environments. This campaign could have leveraged over 1,500 compromised machines.
ImgSrc: files.cyberrisk
Share:
References :
- gbhackers.com: A sophisticated malware campaign has compromised over 1,500 PostgreSQL servers, leveraging fileless techniques to deploy cryptomining payloads.
- The Hacker News: Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign
- www.scworld.com: More than 1,500 internet-exposed PostgreSQL instances have been compromised with cryptocurrency mining malware as part of an ongoing JINX-0126 attack campaign, which is an evolution of PG_MEM malware activity initially detected by Aqua Security in August, The Hacker News reports.
- Wiz Blog | RSS feed: Cloud environments at risk: Attackers target weak PostgreSQL instances with fileless cryptominer payloads.
Classification:
- HashTags: #cryptomining #PostgreSQL #filelessmalware
- Company: Wiz
- Target: PostgreSQL servers
- Attacker: JINX-0126
- Product: PostgreSQL
- Feature: Fileless Cryptomining
- Malware: XMRig-C3
- Type: Malware
- Severity: Major