Close Menu
Invest Intellect
    Facebook X (Twitter) Instagram
    Invest Intellect
    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Commodities
    • Cryptocurrency
    • Fintech
    • Investments
    • Precious Metal
    • Property
    • Stock Market
    Invest Intellect
    Home»Cryptocurrency»New Malware Hidden Within PostgreSQL Process Deploys Cryptocurrency Miners
    Cryptocurrency

    New Malware Hidden Within PostgreSQL Process Deploys Cryptocurrency Miners

    August 22, 20243 Mins Read


    New Malware Hidden Within PostgreSQL Process Deploys Cryptocurrency Miners

    A successful brute-force attack on a PostgreSQL database exploited a feature that allowed command execution, where the attacker created a superuser role, dropped files to eliminate competition and gain persistence, and ultimately deployed cryptocurrency miners. 

    The attack demonstrates the severe consequences of weak passwords and the potential for unauthorized access to a database to lead to significant security breaches.


    EHA
    Attack flow in PG_MEM

    An attacker successfully breached the system through a brute-force attack on the PostgreSQL database. After gaining access, they created a new superuser account with elevated privileges to maintain persistence.

    Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

    They then stripped the initial compromised user of superuser rights to limit potential damage from future attacks.

    To gather information about the system, the attacker executed commands to locate the authentication configuration file, determine the PostgreSQL server version, and run system commands like `uname` and `whoami`. 

    The compilation of commands aimed at   the system

    The threat actor leverages a temporary table to execute shell commands and store the output by establishing a TCP connection to a remote server to download two malicious payloads, pg_core and pg_mem. 

    The first payload, pg_core, is a cryptominer that mines cryptocurrency, while the second payload, pg_mem, is a dropper that deploys the XMRIG cryptominer, memory. 

    Both payloads are designed to evade detection by removing logs, killing competing malware processes, and creating persistence through cron jobs. The threat actor also modifies the pg_hba configuration file to allow unauthorized connections.

    Mining cryptocurrency data

    A recent Shodan search revealed over 800,000 publicly accessible PostgreSQL databases on the internet, highlighting a significant security risk and making them vulnerable to brute-force attacks and potential exploitation. 

    This discovery underscores the urgent need for organizations to implement robust security measures to protect their database servers from unauthorized access.

    The attackers exploited a vulnerability in the Postgres database to gain initial access to the target system, which aligns with the T1190 technique, which involves exploiting public-facing applications to compromise systems. 

    According to AquaSec, by leveraging this vulnerability, the attackers were able to bypass security measures and establish a foothold within the target environment.

    component of the attack

    The attacker initiates a targeted attack against a PostgreSQL database server by exploiting a vulnerability in the database to execute shell commands, create a new user account with elevated privileges, and manipulate existing user roles. 

    To maintain persistence, they schedule a task to run a malicious script and delete evidence of their activity, and then leverage the elevated privileges to execute commands as a superuser. 

    By guessing the database credentials, they gain unauthorized access by collecting sensitive data, and the attacker downloads malicious files from a remote server and uses web protocols to establish communication, ultimately hijacking system resources for cryptocurrency mining.

    Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    Innovative Chinese dissident uses cryptocurrency to fund his activism

    Cryptocurrency

    When is the next Blue Origin launch? Crypto billionaire joins crew

    Cryptocurrency

    CBUAE publishes comprehensive report on progress made towards issuing the “Digital Dirham”

    Cryptocurrency

    Hackers wipe out Rs 384 crore from Bengaluru cryptocurrency firm Neblio Technologies; company says inside job | Bangalore News

    Cryptocurrency

    Zaggle acquires Rio Money to expand into digital consumer lending

    Cryptocurrency

    PowerBank and Intellistake Announce Strategic Alliance to Pioneer Digital Currencies, including Bitcoin Treasury Integration and RWA Tokenization

    Cryptocurrency
    Leave A Reply Cancel Reply

    Top Picks
    Commodities

    MO State Fair continues to have agriculture at the core

    Investments

    As alternative investments go mainstream, investor education is a must

    Cryptocurrency

    Understanding Digital Currencies and Their Local Impact – Muddy River News

    Editors Picks

    China’s Nuanced Outlook May Favor Corporate Bonds

    August 10, 2024

    Saviez-vous qu’un roi faisait fabriquer ses tiges de métal dans le Cotatay ?

    June 6, 2025

    Business Extra: How FinTech is evolving in the Middle East

    August 14, 2024

    Financement immobilier sur internet : offre intégrée entre les fintechs Yomoni et Pretto

    February 27, 2025
    What's Hot

    Okx Cryptomonnaies Parent Aux Cayes Fintech Confirme Le Règlement… -Le 24 février 2025 à 22:41

    February 24, 2025

    Nate Silver Explains Why He Feels Trump Is ‘Way Too Old’ for Presidency

    October 18, 2024

    Helix Nebula (HXN) Is Now Available for Trading on LBank Exchange

    August 5, 2024
    Our Picks

    LBCC breaks ground on $14 million agricultural center

    May 28, 2025

    Does New Jersey still have the nation’s highest property tax rates?

    March 14, 2025

    Immobilier de bureaux : comment la crise sanitaire a changé la donne en Lorraine

    April 6, 2025
    Weekly Top

    Order your exclusive Scars On Broadway t-shirt and Daron Malakian Metal Hammer cover now

    July 31, 2025

    Transforming Fintech: The Future of Application Security

    July 31, 2025

    TSX Dividend Stocks To Consider In July 2025

    July 31, 2025
    Editor's Pick

    2nd Taqah Agricultural Forum to promote food security and rural development

    June 25, 2025

    Agricultural productivity growth sluggish since 2000: ABARES

    July 24, 2024

    Silver is the metal of the next few years

    March 2, 2025
    © 2025 Invest Intellect
    • Contact us
    • Privacy Policy
    • Terms and Conditions

    Type above and press Enter to search. Press Esc to cancel.