CyberSecurity news
FlagThis - #postgresql
|
SC Staff@scmagazine.com
//
An ongoing cryptomining campaign, attributed to the threat actor JINX-0126, has successfully compromised over 1,500 internet-exposed PostgreSQL servers. Attackers are exploiting instances with weak credentials, allowing them to deploy XMRig-C3 cryptocurrency miners using fileless techniques. This campaign is an evolution of the PG_MEM malware activity, initially detected in August, and demonstrates sophisticated evasion tactics. These include deploying binaries with unique hashes per target and executing the miner payload filelessly.
Cloud security firm Wiz, has identified that attackers are abusing the "COPY ... FROM PROGRAM SQL" command to execute arbitrary shell commands. Once authenticated, attackers conduct reconnaissance, deploy a shell script to eliminate competing cryptominers, and deliver the pg_core binary. A Golang binary called "postmaster" is also downloaded, enabling persistence, privilege escalation, and the execution of a new XMRig cryptominer variant, highlighting the risks of weak PostgreSQL configurations in cloud environments. This campaign could have leveraged over 1,500 compromised machines.
Share:
References :
Classification:
@csoonline.com
//
A critical zero-day vulnerability, identified as CVE-2025-1094, has been discovered in the open-source database management system PostgreSQL. This SQL injection flaw, found in PostgreSQL's psql terminal, was actively exploited in conjunction with a separate zero-day vulnerability, CVE-2024-12356, affecting BeyondTrust Remote Support systems. The combined exploitation of these vulnerabilities enabled attackers to achieve remote code execution, leading to potential system compromise.
Rapid7 researchers discovered that the PostgreSQL flaw stems from the interactive terminal psql's handling of malformed UTF-8 characters, which allows attackers to inject malicious SQL commands. This vulnerability was leveraged in attacks targeting the U.S. Treasury Department, highlighting the severity of the threat. PostgreSQL has urged users of versions before 13.19, 14.16, 15.11, 16.7, and 17.3 to immediately apply the issued patch to mitigate the risk of exploitation.
Share:
References :
Classification:
@csoonline.com
//
A high-severity SQL injection vulnerability, identified as CVE-2025-1094, has been discovered in PostgreSQL's psql interactive tool. Rapid7 researchers found that threat actors exploited this zero-day flaw in conjunction with a BeyondTrust vulnerability (CVE-2024-12356) during targeted attacks in December 2024. Specifically, attackers who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL.
This vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to OS command execution. The flaw stems from how PostgreSQL handles invalid UTF-8 characters, which allows attackers to inject malicious code via a shortcut command "\!". Rapid7 discovered that successful exploitation of the BeyondTrust vulnerability required exploiting CVE-2025-1094 to achieve remote code execution. Patches have been released for PostgreSQL versions 13 through 17 to address this issue, and users are advised to upgrade their database servers immediately.
Share:
References :
Classification:
|