Secure Bulletin Navigating the cyber sea with knowledge
Home > Articolo > Emergence of PG_MEM malware targeting PostgreSQL databases
Emergence of PG_MEM malware targeting PostgreSQL databases
Read Time:1 Minute, 13 Second

Aqua Nautilus researchers have uncovered a dangerous new malware strain named PG_MEM, specifically designed to exploit the PostgreSQL database management system for illicit cryptocurrency mining. The attack begins with a brute-force approach to compromise database passwords, granting attackers access to critical systems.

Upon breaching defenses, PG_MEM establishes a foothold by creating a new superuser role, effectively stripping original users of their privileges to prevent counter-intrusion. Subsequent reconnaissance is conducted, which includes gathering key system information essential for further exploitation. Utilizing the PostgreSQL command “COPY … FROM PROGRAM,” attackers execute shell commands to download and launch malicious files, namely pg_core and pg_mem. These files are crafted to optimize operations while removing competition and evading detection.

Among its techniques for stealth, PG_MEM employs temporary tables for command execution, ensuring little to no digital footprint remains post-attack. It also targets and neutralizes other processes, including miners and security measures, while establishing cron jobs to maintain persistent crypto-mining operations after system reboots. Consequently, compromised systems experience diminished performance and stability as CPU and GPU resources are commandeered for the attackers’ profit.

Aqua Nautilus’s analysis, employing Shodan, revealed over 800,000 publicly accessible PostgreSQL databases, highlighting a substantial vulnerability landscape. This alarming situation necessitates immediate action from organizations to bolster their database security posture. Strong password policies, multi-factor authentication, regular security audits, and robust intrusion detection systems are essential measures to mitigate the risk of PG_MEM and similar threats.

Share: Twitter  |  Facebook  |  LinkedIn
Join the discussion

This is a blog in the Fediverse: you can find this article everywhere with @blog@securebulletin.com and every comment/answer will appear here.

If you want to comment on Emergence of PG_MEM malware targeting PostgreSQL databases, use the discussion on Forum.

>> forum community