Aqua Nautilus researchers have uncovered a dangerous new malware strain named PG_MEM, specifically designed to exploit the PostgreSQL database management system for illicit cryptocurrency mining. The attack begins with a brute-force approach to compromise database passwords, granting attackers access to critical systems.
Upon breaching defenses, PG_MEM establishes a foothold by creating a new superuser role, effectively stripping original users of their privileges to prevent counter-intrusion. Subsequent reconnaissance is conducted, which includes gathering key system information essential for further exploitation. Utilizing the PostgreSQL command “COPY … FROM PROGRAM,” attackers execute shell commands to download and launch malicious files, namely pg_core and pg_mem. These files are crafted to optimize operations while removing competition and evading detection.
Among its techniques for stealth, PG_MEM employs temporary tables for command execution, ensuring little to no digital footprint remains post-attack. It also targets and neutralizes other processes, including miners and security measures, while establishing cron jobs to maintain persistent crypto-mining operations after system reboots. Consequently, compromised systems experience diminished performance and stability as CPU and GPU resources are commandeered for the attackers’ profit.
Aqua Nautilus’s analysis, employing Shodan, revealed over 800,000 publicly accessible PostgreSQL databases, highlighting a substantial vulnerability landscape. This alarming situation necessitates immediate action from organizations to bolster their database security posture. Strong password policies, multi-factor authentication, regular security audits, and robust intrusion detection systems are essential measures to mitigate the risk of PG_MEM and similar threats.
