A concerning campaign targeting exposed PostgreSQL instances has emerged, aiming to gain unauthorized access and deploy cryptocurrency miners within compromised environments. This campaign, identified by cloud security firm Wiz, is a variant associated with a previously recognized intrusion set reported by Aqua Security in August 2024, which utilized a malware strain known as PG_MEM. The threat actor behind this activity is tracked by Wiz under the designation JINX-0126.
Wiz’s investigation reveals that the threat actor has advanced its techniques, employing methods to evade detection. This includes deploying binaries with unique hashes for each target and executing the mining payload in a fileless manner, which can circumvent detection systems predicated on file hash integrity. Researchers Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski note that these developments indicate a sophisticated approach to exploiting vulnerable database instances.
To date, this campaign has reportedly impacted over 1,500 victims, highlighting the widespread presence of publicly exposed PostgreSQL instances with weak or easily guessable credentials. The attackers are capitalizing on these vulnerabilities, showcasing a critical need for robust security measures to safeguard against such opportunistic threats.
One of the campaign’s most distinct tactics involves the abuse of the COPY … FROM PROGRAM SQL command, allowing attackers to execute arbitrary shell commands within the host’s environment. This method significantly enhances their capability to conduct reconnaissance and deploy malicious payloads.
The exploitation of poorly configured PostgreSQL services grants attackers access to conduct preliminary reconnaissance and deploy a Base64-encoded payload, which consists of a shell script designed to terminate competing cryptocurrency miners and drop a binary named PG_CORE on the host.
Additionally, the attackers introduce an obfuscated Golang binary, codenamed postmaster, which masquerades as a legitimate PostgreSQL multi-user database server. This binary establishes persistence through a cron job, creates a new role with elevated privileges, and writes another binary, cpu_hu, to disk.
The cpu_hu binary subsequently downloads the latest version of the XMRig miner from GitHub and launches it filelessly using a known Linux fileless techniques referring to memfd. This method aids the attackers in maintaining their foothold on compromised systems without triggering traditional security measures.
Wiz noted that the threat actor assigns a unique mining worker to each compromised system, with evidence suggesting the existence of three distinct wallets connected to this actor. Each wallet appears to manage approximately 550 workers, indicating a substantial scale for the operation that could encompass over 1,500 compromised machines. This situation underscores the urgent need for businesses to fortify their database configurations and monitor access permissions closely.
