Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Rare Werewolf APT uses legitimate software in attacks on hundreds of Russian enterprises

June 10, 2025

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » New PG_MEM malware targets PostgreSQL databases for crypto mining
Global Security

New PG_MEM malware targets PostgreSQL databases for crypto mining

AdminBy AdminAugust 22, 2024No Comments2 Mins Read
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


August 22, 2024Ravi LakshmananDatabase Security / Cryptocurrency

Cybersecurity researchers have unpacked a new variant of the malware called PG_MEM, designed to mine cryptocurrency after crudely infiltrating PostgreSQL database instances.

“Brute force attacks on Postgres involve repeated attempts to guess database credentials until access is granted, using weak passwords,” – Assaf Morag, Aqua Security Researcher said in the technical report.

“Once accessed, attackers can use COPY … FROM SQL PROGRAM command to execute arbitrary shell commands on a host, allowing them to perform malicious actions such as stealing data or deploying malware.”

Cyber ​​security

The attack chain observed by the cloud security firm involves targeting misconfigured PostgreSQL databases to create an administrator role in Postgres and use a function called PROGRAM to execute shell commands.

Additionally, after a successful brute force attack, the threat actor performs initial reconnaissance and executes commands to strip the “postgres” user of superuser permissions, thereby limiting the privileges of other threat actors who may gain access using the same method.

The shell commands are responsible for removing two payloads from the remote server (“128.199.77(.)96”), namely PG_MEM and PG_CORE, which are capable of terminating competing processes (e.g. Kinging), setting up security on the host and eventually deploying the Monero cryptocurrency miner.

This is achieved by using a PostgreSQL command called COPY, which allows you to copy data between a file and a database table. Specifically, it uses a parameter known as PROGRAM, which allows the server to execute the commands passed to it and write the results of the program execution to a table.

“While (cryptocurrency mining) is the main exposure, at this point an attacker can also run commands, view data and control the server,” Morag said.

“This company uses Internet-facing Postgres databases with weak passwords. Many organizations connect their databases to the Internet, a weak password is the result of misconfiguration and a lack of proper identity controls.’

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Rare Werewolf APT uses legitimate software in attacks on hundreds of Russian enterprises

June 10, 2025

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025

Think what your IDP or CASB covers the shadow? These 5 risks prove differently

June 9, 2025

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Rare Werewolf APT uses legitimate software in attacks on hundreds of Russian enterprises

June 10, 2025

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025

Two different botnets exploit the vulnerability of the WAZUH server to launch attacks based on peaceful

June 9, 2025

Think what your IDP or CASB covers the shadow? These 5 risks prove differently

June 9, 2025

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Rare Werewolf APT uses legitimate software in attacks on hundreds of Russian enterprises

June 10, 2025

CISA adds flaws of Erlang SSH and RoundCube to famous exploited directory vulnerabilities

June 10, 2025

More than 70 organizations in several sectors aimed at Chinese Cyber ​​Spying Group

June 9, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.