Cybersecurity researchers have discovered a new malicious program called PG_MEM, which is aimed at the hacking of the PostgreSQL databases for cryptocurrency mining. This program uses the Bubors method to select the data of the database and further performing malicious actions.
According to a technical report by ASSAF MORG, Security Specialist from AQUASEC, the attacks on PostgreSQL databases start with repeated attempts to guess accounting data using weak passwords. Upon successful hacking, attackers can execute arbitrary shell commands on the server, enabling them to steal data or install malicious software.
The attack chain involves targeting non-contrary PostgreSQL databases to create an administrator and use the Program function to execute membrane commands. Once a successful attack occurs, the attackers conduct initial reconnaissance and execute commands to revoke superuser rights from the “postgres” user, limiting access to other potential attackers.
Subsequent actions include loading two malware, PG_MEM and PG_core, from the attackers’ remote server. These programs are designed to kill competing processes, set persistent access on the server, and ultimately deploy the Monero cryptocurrency miner.
The malicious programs exploit the PostgreSQL Copy command, typically used to copy data between a file and a database table. Attackers leverage the Program parameter to execute transferred commands on the server and store the results in a database table.
While the primary objective of the attacks is cryptocurrency mining, attackers have the capability to execute system commands, view data, and control the server. This malicious campaign targets PostgreSQL databases with internet access and weak passwords, stemming from incorrect configurations and inadequate access controls, as noted by AquaSec.
Many organizations expose their databases to the internet, leaving them vulnerable to such attacks due to weak passwords and lack of proper identification protection measures. To safeguard their systems, experts recommend consistently updating databases, implementing strong passwords, and restricting server access from the internet.