Introduction
Cybersecurity researchers at Aqua Nautilus have recently uncovered a new and alarming malware strain that threatens over 800,000 PostgreSQL servers worldwide. This new threat exploits the vulnerability of weak database passwords to attack the servers via the ransomware dubbed PG_MEM and take over the systems with cryptocurrency miners which in turn may cause widespread disruption.
PG_MEM: A New Cryptojacking Threat
In the beginning, the stop-guard PG_MEM malware starts by carrying out a brute force attack on PostgreSQL. For that cause, the malware by targeting databases with weak or easily guessable passwords gets access and assigns the superuser role with administrative privileges. When the malware has the necessary privileges, it can go to the whole infected database pack, deny legitimate access, and perform some malicious shell commands.
How the Malware Operates
When the program is on the server it downloads and deploys other malicious payloads. One of them is the XMRIG mining tool, which is commonly used by hackers to mine Monero (XMR), which is preferred by the criminals for its anonymity and untraceability. To maintain the function, the hacker puts some changes in the cron job, which is scheduled tasks that are performed at prohibited times on the server. The malware also removes the present cron dukes and replaces them with new ones so that the system can be mined continuously even in the event of reboots or temporary downtimes.
Besides this, PG_MEM also eliminates some files and logs which can be a clue to its activity thus making it harder for administrators to identify and remove the malware.
The Broader Implications
PG_MEM can be more dangerous because of the possibility of illegal cryptomining. If somebody uses your server, for example, hackers can carry out other malicious activities which increase the seriousness of the situation.
It is not a new thing that the PostgreSQL databases have been attacked within a cryptojacking campaign. Similar to using the McLaren botnet of 2020, the PyMiner botnet was used in 2018 to mine Monero.
Conclusion
The finding of the PG_MEM malware even indicates that cryptojacking campaigns are still a serious concern and points toward the need to implement stronger security measures when managing PostgreSQL databases. As cyber threats are developing, organizations must adopt robust security practices such as using strong passwords and regularly monitoring systems to safeguard their critical infrastructure from such exploits.
