Close Menu
Invest Intellect
    Facebook X (Twitter) Instagram
    Invest Intellect
    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Commodities
    • Cryptocurrency
    • Fintech
    • Investments
    • Precious Metal
    • Property
    • Stock Market
    Invest Intellect
    Home»Cryptocurrency»New Malware Hidden Within PostgreSQL Process Deploys Cryptocurrency Miners
    Cryptocurrency

    New Malware Hidden Within PostgreSQL Process Deploys Cryptocurrency Miners

    August 22, 20243 Mins Read


    New Malware Hidden Within PostgreSQL Process Deploys Cryptocurrency Miners

    A successful brute-force attack on a PostgreSQL database exploited a feature that allowed command execution, where the attacker created a superuser role, dropped files to eliminate competition and gain persistence, and ultimately deployed cryptocurrency miners. 

    The attack demonstrates the severe consequences of weak passwords and the potential for unauthorized access to a database to lead to significant security breaches.


    EHA
    Attack flow in PG_MEM

    An attacker successfully breached the system through a brute-force attack on the PostgreSQL database. After gaining access, they created a new superuser account with elevated privileges to maintain persistence.

    Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

    They then stripped the initial compromised user of superuser rights to limit potential damage from future attacks.

    To gather information about the system, the attacker executed commands to locate the authentication configuration file, determine the PostgreSQL server version, and run system commands like `uname` and `whoami`. 

    The compilation of commands aimed at   the system

    The threat actor leverages a temporary table to execute shell commands and store the output by establishing a TCP connection to a remote server to download two malicious payloads, pg_core and pg_mem. 

    The first payload, pg_core, is a cryptominer that mines cryptocurrency, while the second payload, pg_mem, is a dropper that deploys the XMRIG cryptominer, memory. 

    Both payloads are designed to evade detection by removing logs, killing competing malware processes, and creating persistence through cron jobs. The threat actor also modifies the pg_hba configuration file to allow unauthorized connections.

    Mining cryptocurrency data

    A recent Shodan search revealed over 800,000 publicly accessible PostgreSQL databases on the internet, highlighting a significant security risk and making them vulnerable to brute-force attacks and potential exploitation. 

    This discovery underscores the urgent need for organizations to implement robust security measures to protect their database servers from unauthorized access.

    The attackers exploited a vulnerability in the Postgres database to gain initial access to the target system, which aligns with the T1190 technique, which involves exploiting public-facing applications to compromise systems. 

    According to AquaSec, by leveraging this vulnerability, the attackers were able to bypass security measures and establish a foothold within the target environment.

    component of the attack

    The attacker initiates a targeted attack against a PostgreSQL database server by exploiting a vulnerability in the database to execute shell commands, create a new user account with elevated privileges, and manipulate existing user roles. 

    To maintain persistence, they schedule a task to run a malicious script and delete evidence of their activity, and then leverage the elevated privileges to execute commands as a superuser. 

    By guessing the database credentials, they gain unauthorized access by collecting sensitive data, and the attacker downloads malicious files from a remote server and uses web protocols to establish communication, ultimately hijacking system resources for cryptocurrency mining.

    Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    Africa, Caribbean consider developing digital currency to enhance trade

    Cryptocurrency

    Cryptocurrency Live News & Updates : Powell Remains Silent on Future Fed Role

    Cryptocurrency

    WinnerMining: Are cryptocurrency fluctuations making people panic? No, it’s the business opportunities of cloud mining.

    Cryptocurrency

    A new cloud mining solution is launched globally, redefining the passive income model of cryptocurrency

    Cryptocurrency

    NCB busts top darknet-based drug vendor; seizes drugs and cryptocurrency

    Cryptocurrency

    Hyperscale Data Subsidiary Ault Markets to Launch U.S.-Based Global Decentralized Cryptocurrency Exchange

    Cryptocurrency
    Leave A Reply Cancel Reply

    Top Picks
    Fintech

    TradeGo FinTech dit qu’elle intègre complètement DeepSeek pour améliorer l’autonomisation de l’IA FinTech -Le 17 février 2025 à 16:24

    Fintech

    PhotonPay joins Tribe Payments to offer Issuer Processing services

    Investments

    Comment la prévision des tempêtes et des canicules fait des bonds grâce à l’IA

    Editors Picks

    Hong Kong rolls out policy statement, moves to nurture fintech

    October 29, 2024

    Short Interest in Harbour Energy plc (OTCMKTS:HBRIY) Expands By 57.1%

    July 29, 2024

    SchiffGold Friday Gold Wrap October 18 2024

    October 19, 2024

    ECB Prepping The Ground For Digital Euro Launch

    March 17, 2025
    What's Hot

    Bitcoin As A Reserve Asset? Senator Cynthia Lummis Fuels Speculation

    July 26, 2024

    sept talents aux parcours inspirants en 2025

    May 27, 2025

    Cannes Lions 2025 : Un Silver pour Publicis Conseil et Orange en Creative Commerce – Image

    June 19, 2025
    Our Picks

    Real Madrid, une arrivée de choix annoncée

    May 9, 2025

    Prothèses d’épaules imprimées en 3D : un processus plus durable

    April 16, 2025

    Energy company shut down after years of violations – BizWest

    August 19, 2024
    Weekly Top

    WinnerMining: Are cryptocurrency fluctuations making people panic? No, it’s the business opportunities of cloud mining.

    July 1, 2025

    L’Algérie parmi les 10 premières puissances énergétiques mondiales en 2024

    July 1, 2025

    Emperor’s US$2 billion debt woes reflect Hong Kong’s worsening property market risks

    July 1, 2025
    Editor's Pick

    Global commodity open interest value drops to 5-month low amid macro contagion – JPM

    August 6, 2024

    Yunnan Copper suspend la cotation de ses actions dans le cadre d’un projet d’acquisition de participation

    May 12, 2025

    Le système de retraite des employés de la ville de New York sollicite les procurations des actionnaires d’Alliant Energy Corporation

    May 8, 2025
    © 2025 Invest Intellect
    • Contact us
    • Privacy Policy
    • Terms and Conditions

    Type above and press Enter to search. Press Esc to cancel.