PostgreSQL Under Attack: Fileless Malware Infects 1,500+ Cloud Servers

By /
postgresql

Cybercriminals are actively exploiting misconfigured PostgreSQL servers to deploy a fileless cryptominer, with over 1,500 systems compromised. Security researchers at Wiz Threat Research have identified this evolving campaign, linked to the threat actor JINX-0126, which leverages weak PostgreSQL credentials to inject malicious payloads and mine cryptocurrency undetected.

Threat to Cloud Environments

PostgreSQL, a widely used database management system, has become a prime target due to the prevalence of weak configurations. According to Wiz’s research, nearly 90% of cloud environments self-host PostgreSQL instances, and a third of them have at least one publicly exposed server. These insecure setups create an easy entry point for attackers to deploy XMRig-C3 cryptominers without detection.

First documented by Aqua Security, the attack has since evolved with new evasion techniques. JINX-0126 ensures each binary has a unique hash per target, making signature-based detection difficult. Additionally, the cryptominer is executed filelessly to bypass traditional endpoint protection solutions that rely on file reputation.

How the Attack Works

The attack begins with cybercriminals scanning the internet for weakly secured PostgreSQL servers. Once an exposed instance is found, attackers attempt to log in using default or easily guessed credentials. Successful authentication grants them the ability to exploit the PostgreSQL COPY … FROM PROGRAM function, allowing the execution of malicious commands remotely.

Step-by-Step Attack Breakdown:

  1. Initial Access: Attackers gain entry by exploiting weak PostgreSQL login credentials.

  2. Discovery: Basic system reconnaissance commands (e.g., whoami, uname) are executed.

  3. Payload Deployment: A dropper script is delivered using base64 encoding to avoid detection.

  4. Killing Rival Miners: The script terminates existing cryptominers to monopolize system resources.

  5. Dropping Malicious Binaries: The malware downloads a disguised binary (pg_core) that executes and deletes itself.

  6. Persistence Mechanisms: A fake PostgreSQL process named postmaster is installed to blend in and maintain control.

  7. Data Exfiltration: The malware gathers system information, including credentials and IP details.

  8. Mining Initiation: The final payload (cpu_hu) executes the XMRig-C3 cryptominer directly in memory.

Advanced Techniques for Stealth

This campaign incorporates several advanced tactics to evade detection:

  • Fileless Execution: The cryptominer runs in memory without leaving traces on disk.

  • Process Masquerading: The malware mimics legitimate PostgreSQL processes to avoid suspicion.

  • Self-Destruct Mechanisms: Once executed, the binary deletes itself to remove forensic evidence.

  • Persistence via Cronjobs: The attacker sets up scheduled tasks to relaunch the malware if terminated.

  • Encrypted Configuration: The attacker appends encrypted configuration data to the binary to prevent analysis.

  • Blocking External Access: The malware modifies the PostgreSQL configuration to prevent other attackers from hijacking the system.

cryptojacking cryptocurrency

Evidence of Widespread Infections

By tracking the attacker’s wallets through C3Pool statistics, Wiz researchers estimate that at least 1,500 victims have been impacted. Each compromised server is assigned a unique mining worker ID, further indicating the scale of the attack.

Security experts warn that the actual number of compromised systems could be higher, as many infected instances may go undetected due to the malware’s stealth techniques. The attackers appear to be continuously refining their methods, indicating that this campaign is far from over.

Mitigation

To protect PostgreSQL servers from such attacks, organizations should take the following precautions:

  • Enforce Strong Credentials: Replace default PostgreSQL passwords with complex, unique ones.

  • Restrict Public Exposure: Ensure that database instances are not accessible from the internet unless absolutely necessary.

  • Apply Access Controls: Implement firewall rules and network segmentation to restrict unauthorized access.

  • Monitor for Anomalous Activity: Use threat detection tools to spot unusual database activity.

  • Regularly Patch and Update: Keep PostgreSQL and related software up to date to mitigate vulnerabilities.

  • Disable COPY FROM PROGRAM: If not needed, restrict this function to prevent command execution exploits.

  • Use Cloud Security Posture Management (CSPM) Solutions: These tools can help detect and remediate misconfigurations before they can be exploited.

  • Deploy Behavioral Analysis Tools: Advanced monitoring solutions that detect anomalous behavior can help identify stealthy fileless attacks.

Conclusion

The JINX-0126 campaign highlights the dangers of misconfigured PostgreSQL servers and the rising threat of fileless malware. With over 1,500 compromised machines already, the importance of securing cloud environments cannot be overstated. Organizations must take immediate action to reinforce database security, limit exposure, and monitor for signs of compromise. By implementing strong access controls and regular monitoring, businesses can defend against evolving cryptojacking threats.

By optimizing security practices, organizations can prevent cybercriminals from turning their cloud resources into profit-generating cryptomining machines. With continued vigilance and proactive security measures, businesses can stay ahead of emerging threats and safeguard their infrastructure from stealthy cyberattacks.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Interesting Article : Google Introduces End-to-End Encryption for Enterprise Gmail Users

Scroll to Top