Over 800k servers at risk due to new cryptojacking malware exploiting PostgreSQL

As a seasoned researcher with years of experience in cybersecurity, this latest discovery of PG_MEM malware targeting PostgreSQL servers is both concerning and intriguing. The recurring theme of cryptojacking campaigns against such databases is a clear testament to the resilience and adaptability of these threats.


Investigators from Aqua Nautilus recently discovered a fresh type of malicious software, which specifically attacks PostgreSQL servers in order to install cryptocurrency mining programs.

A security company has discovered approximately 800,000 servers that might be susceptible to a cryptocurrency mining attack focused on PostgreSQL, a widely-used open-source database system that handles data storage, management, and retrieval for numerous applications.

As per a research report recently disseminated to crypto.news, the alleged “PG_MEM” malware initiates its operation by launching a brute-force attack against PostgreSQL databases. It successfully penetrates databases protected by weak passwords.

Once the malware gains entry into the system, it sets up a high-level user account with administrative rights, giving it complete authority over the database and preventing other users from accessing it. With this control, the malware runs shell commands on the host machine, which allows for the transfer and installation of further harmful data packages.

As per the findings of the report, the data packages carry a pair of files intended to help the malicious software avoid identification, configure the system for cryptocurrency extraction, and activate the XMRIG tool, which is utilized for mining Monero (XMR).

1. XMRIG is frequently employed by malicious actors because of Monero’s difficult-to-track transactions. In a cryptojacking attack last year, an educational platform was breached, and the attackers secretly planted a script that installed XMRIG on every visitor’s device.

Malware hijacks PostgreSQL servers to deploy crypto miners

Researchers discovered that this malicious software deletes current scheduled tasks (cron jobs) set to run automatically at specific time intervals on a server, then sets up new ones to make certain that the cryptocurrency miner keeps operating continuously.

As a savvy crypto investor, I understand how this mechanism enables malware to persist in its operations, whether the server is rebooted or certain processes are momentarily paused. To avoid detection, it systematically erases crucial files and records that could potentially reveal its footprints on the server, thus staying under the radar.

Researchers have cautioned that although the main objective of the campaign is to install a cryptocurrency miner, it’s crucial to note that the attackers additionally seize command over the compromised server, emphasizing the gravity of this situation.

Over the years, there have been frequent instances of cyberattacks known as cryptojacking that specifically target PostgreSQL databases. For instance, researchers from Palo Alto Networks’ Unit 42 found a similar cryptojacking campaign in 2020, using the PgMiner botnet. Similarly, back in 2018, the StickyDB botnet was uncovered, and it too had infiltrated servers to mine Monero.

Read More

Sorry. No data so far.

2024-08-21 15:24