Article Details
Ongoing Cryptojacking Campaign
Exposed PostgreSQL instances are being targeted in an ongoing campaign aimed at gaining unauthorized access and deploying cryptocurrency miners. According to cloud security firm Wiz, this activity is a variant of an intrusion set first identified by Aqua Security in August 2024, involving the use of a malware strain known as PG_MEM. The campaign has been attributed to a threat actor tracked by Wiz as JINX-0126.
Evolution of the Threat Actor
"The threat actor has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly – likely to evade detection by cloud workload protection platform solutions that rely solely on file hash reputation," researchers Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski noted.
Extent of the Campaign
Wiz has revealed that the campaign has likely claimed over 1,500 victims to date. This indicates that publicly-exposed PostgreSQL instances with weak or predictable credentials are prevalent enough to become an attack target for opportunistic threat actors.
Attack Techniques
The most distinctive aspect of the campaign is the abuse of the COPY … FROM PROGRAM SQL command to execute arbitrary shell commands on the host.
Post-Exploitation Activities
The access afforded by the successful exploitation of weakly configured PostgreSQL services is used to conduct preliminary reconnaissance and drop a Base64-encoded payload. This payload is, in reality, a shell script that kills competing cryptocurrency miners and drops a binary named PG_CORE.
Additional Malware
Also downloaded to the server is an obfuscated Golang binary codenamed postmaster, which mimics the legitimate PostgreSQL multi-user database server. It’s designed to set up persistence on the host using a cron job, create a new role with elevated privileges, and write another binary called cpu_hu to disk.
Deployment of Cryptocurrency Miner
cpu_hu downloads the latest version of the XMRig miner from GitHub and launches it filelessly via a known Linux fileless technique referred to as memfd.
Campaign Impact
"The threat actor is assigning a unique mining worker to each victim," Wiz said, adding it identified three different wallets linked to the threat actor. "Each wallet had approximately 550 workers. Combined, this suggests that the campaign could have leveraged over 1,500 compromised machines."
Source Link
