Cybersecurity researchers at Aqua Nautilus have recently uncovered a new threat in the cybersecurity landscape, a malware named PG_MEM that specifically targets PostgreSQL databases. This sophisticated malware utilizes brute force attacks to gain unauthorized access to databases, conceals itself within legitimate PostgreSQL processes, and ultimately steals data while engaging in cryptocurrency mining activities.

PostgreSQL, more commonly known as Postgres, is a widely used open-source relational database management system known for its flexibility and reliability. However, its popularity also makes it a prime target for cybercriminals seeking to exploit vulnerabilities. According to a report by Aqua Nautilus, PostgreSQL databases are vulnerable to brute force attacks, where cybercriminals repeatedly attempt to guess database credentials until successfully gaining access by exploiting weak passwords. Once inside, attackers can execute arbitrary commands using the COPY … FROM PROGRAM SQL command, allowing them to engage in malicious activities such as data theft or deploying malware.

The attack flow of PG_MEM involves several stages to carry out its malicious activities. In the initial stage, the attacker employs brute force attacks to gain access to the PostgreSQL database, involving numerous login attempts until the correct username and password are guessed. Subsequently, the attacker gains persistence by creating a superuser role in the database, enabling them to evade detection and maintain control over the compromised server. Finally, the attacker proceeds to gather system information and deliver malicious payloads by exploiting PostgreSQL’s features, downloading and executing malware to mine cryptocurrency while remaining undetected.

PG_MEM acts as a dropper for a cryptocurrency miner known as XMRIG, optimizing the mining operation by utilizing the system’s resources. The attacker establishes persistence by creating cron jobs to ensure the continuous execution of PG_MEM, allowing them to maintain control over the compromised server and engage in cryptocurrency mining activities.

The discovery of PG_MEM underscores the vulnerability of exposed PostgreSQL servers, with over 800,000 publicly accessible databases identified through a search on Shodan, an engine for internet-connected devices. This highlights the urgent need for robust security measures to protect against such attacks. The PG_MEM attack aligns with various techniques outlined in the MITRE ATT&CK framework, including exploiting public-facing applications, command execution, account manipulation, and resource hijacking. Understanding these techniques is essential for developing effective defense strategies.

Organizations are encouraged to adopt a defense-in-depth approach to safeguard against PG_MEM and similar threats. This includes implementing strong password policies, conducting regular security audits, and utilizing runtime detection and response tools like Aqua’s Runtime Protection to detect suspicious behavior in real-time and identify potential vulnerabilities. As cyber threats continue to evolve, organizations must enhance their security measures to ensure the protection of their critical databases from sophisticated threats like PG_MEM.

In conclusion, the PG_MEM malware poses a significant threat to PostgreSQL databases by combining data theft with cryptocurrency mining. By understanding the tactics employed by attackers and implementing robust defenses, organizations can safeguard their critical data and maintain operational integrity in the face of evolving cyber threats. It is essential for businesses to stay vigilant and proactive in enhancing their security measures to protect against malicious activities targeting their databases.

Source link