Aug 22, 2024Ravie LakshmananDatabase Security / Cryptocurrency
Unpacking PG_MEM: A New Malware Strain Targeting PostgreSQL Databases
Cybersecurity researchers have recently discovered a sophisticated malware strain called PG_MEM that focuses on infiltrating PostgreSQL database instances to mine cryptocurrency.
According to Aqua security researcher Assaf Morag, PG_MEM leverages brute-force attacks on PostgreSQL by guessing database credentials until access is obtained, exploiting weak passwords in the process. Once inside, attackers can utilize the COPY … FROM PROGRAM SQL command to perform malicious activities such as data theft and malware deployment.
The attack chain identified by cloud security experts involves targeting misconfigured PostgreSQL databases to create an administrator role and exploit the PROGRAM feature to execute shell commands. Successful attacks lead to further reconnaissance and commands to strip superuser permissions.
The malware drops two payloads, PG_MEM and PG_CORE, from a remote server to terminate other processes, establish persistence, and initiate Monero cryptocurrency mining. It utilizes PostgreSQL’s COPY command with the PROGRAM parameter to execute commands and control the server.
According to Morag, the campaign targets internet-facing PostgreSQL databases with weak passwords, highlighting the importance of proper configuration and identity controls to prevent such attacks.