August 22, 2024Ravie LakshmananDatabase Security / Cryptocurrency

Cybersecurity researchers have discovered a new malware variant dubbed PG_MEM. This malware is designed to mine cryptocurrency by brute-force attacks to compromise PostgreSQL database instances.

“Brute-force attacks against Postgres repeatedly attempt to guess database credentials until access is gained, exploiting weak passwords,” Aqua security researcher Assaf Morag wrote in a technical report.

“Once gained access, attackers can use the SQL COPY … FROM PROGRAM command to execute arbitrary shell commands on the host, potentially performing malicious activities such as exfiltrating data or installing malware.”

The attack chain observed by the cloud security firm involves attacking misconfigured PostgreSQL databases to create an administrator role in Postgres and abusing a function called PROGRAM to execute shell commands.

Additionally, after a successful brute force attack, the attacker performs an initial reconnaissance and executes commands to remove the superuser privileges of the ‘postgres’ user, thereby limiting the privileges of other attackers who could gain access using the same method.

The shell commands are responsible for dropping two payloads from a remote server (“128.199. 77(.)96”), namely PG_MEM and PG_CORE. These can kill competing processes (e.g. kinsing), establish persistence on the host, and ultimately deploy the Monero cryptocurrency miner.

This is accomplished by using a PostgreSQL command called COPY, which allows for the copying of data between a file and a database table. In particular, it arms a parameter known as PROGRAM, which allows the server to execute the passed command and write the results of the program execution to the table.

“While (cryptocurrency mining) has the biggest impact, at this point the attacker can also execute commands, view data, and control the server,” Morag said.

“This campaign is abusing internet-facing Postgres databases with weak passwords. Many organizations are connecting their databases to the internet, weak passwords are the result of misconfiguration and a lack of proper authentication.”