Cybersecurity researchers have discovered a new malware variant called PG_MEM that is designed to mine cryptocurrencies by using brute force to gain access to PostgreSQL database instances.
“Brute-force attacks on Postgres involve repeated attempts to guess database credentials until access is gained, exploiting weak passwords,” said Aqua security researcher Assaf Morag in a technical report.
“Once accessed, attackers can use the SQL command COPY … FROM PROGRAM to execute arbitrary shell commands on the host to perform malicious activities such as data theft or malware deployment.”
The attack chain observed by the cloud security firm involves attacking misconfigured PostgreSQL databases to create an administrator role in Postgres and exploiting a function called PROGRAM to execute shell commands.
In addition, after a successful brute force attack, the threat actor first reconnaissances and executes commands to remove superuser privileges from the user “postgres”, thereby limiting the privileges of other threat actors who might gain access in the same way.
The shell commands are responsible for dropping two payloads from a remote server (“128.199.77(.)96”), namely PG_MEM and PG_CORE, which are capable of killing competing processes (e.g. Kinsing), establishing persistence on the host, and ultimately deploying the Monero cryptocurrency miner.
This is achieved by using a PostgreSQL command called COPY, which allows copying data between a file and a database table. In particular, it uses a parameter called PROGRAM, which allows the server to execute the passed command and write the results of the program execution to the table.
“While (cryptocurrency mining) is the main impact, at this point the attacker can also execute commands, view data and control the server,” Morag said.
“This campaign exploits Internet-facing Postgres databases with weak passwords. Many organizations connect their databases to the Internet, weak passwords are the result of misconfiguration and lack of proper identity controls.”
