Cybersecurity researchers have unpacked a new variant of the malware called PG_MEM, designed to mine cryptocurrency after crudely infiltrating PostgreSQL database instances.
“Brute force attacks on Postgres involve repeated attempts to guess database credentials until access is granted, using weak passwords,” – Assaf Morag, Aqua Security Researcher said in the technical report.
“Once accessed, attackers can use COPY … FROM SQL PROGRAM command to execute arbitrary shell commands on a host, allowing them to perform malicious actions such as stealing data or deploying malware.”
The attack chain observed by the cloud security firm involves targeting misconfigured PostgreSQL databases to create an administrator role in Postgres and use a function called PROGRAM to execute shell commands.
Additionally, after a successful brute force attack, the threat actor performs initial reconnaissance and executes commands to strip the “postgres” user of superuser permissions, thereby limiting the privileges of other threat actors who may gain access using the same method.
The shell commands are responsible for removing two payloads from the remote server (“128.199.77(.)96”), namely PG_MEM and PG_CORE, which are capable of terminating competing processes (e.g. Kinging), setting up security on the host and eventually deploying the Monero cryptocurrency miner.
This is achieved by using a PostgreSQL command called COPY, which allows you to copy data between a file and a database table. Specifically, it uses a parameter known as PROGRAM, which allows the server to execute the commands passed to it and write the results of the program execution to a table.
“While (cryptocurrency mining) is the main exposure, at this point an attacker can also run commands, view data and control the server,” Morag said.
“This company uses Internet-facing Postgres databases with weak passwords. Many organizations connect their databases to the Internet, a weak password is the result of misconfiguration and a lack of proper identity controls.’
