Recent research by Aqua Security has revealed a concerning trend: cryptojacking attackers are exploiting poorly protected PostgreSQL databases running on Linux machines. This alarming discovery highlights the vulnerabilities present in many organizations’ database configurations, leaving them open to opportunistic threats.
The Cryptojacking Attack Methodology
The cryptojacking attack begins with threat actors employing brute-force techniques to gain access to compromised PostgreSQL databases. Once they successfully infiltrate the system, they execute several critical steps:
Creating a New User Role
After gaining access, attackers create a new user role with login capabilities and high privileges. This allows them to maintain control over the compromised database.
Stripping Privileges
The attackers then strip the compromised user role of superuser privileges. This strategic move limits the access of other potential attackers who might exploit the same vulnerabilities, thereby reducing the risk of further breaches.
Information Gathering and Command Execution
Following these initial steps, the threat actors begin collecting information about the underlying system. They run shell commands to download two malicious files to the system:
- PG_Core: This payload targets existing cryptomining malware, such as Kinsing and TeamTNT, by removing cron jobs and killing associated processes.
Assaf Morag, lead data analyst at Aqua’s Nautilus research team, noted, “The threat actor is stopping historic attacks of himself and others; this shows that he has some intel on competitors.” - PG_Mem: This second payload is a Linux dropper that contains the XMRIG cryptominer. It is executed with the argument ‘deleted’ and creates a cron job to ensure persistent execution.
The Scope of the Cryptojacking Malware
PostgreSQL is a widely used open-source relational database management system (RDBMS), commonly deployed in cloud environments, Kubernetes setups, and on-premises infrastructures. Unfortunately, its popularity makes it an attractive target for cryptojacking malware attack groups and extortionists.
A Vulnerable Landscape
Shodan has identified over 830,000 exposed PostgreSQL databases. Many of these databases are vulnerable due to weak passwords, misconfigurations, or default settings that expose them to the public internet.
Protecting PostgreSQL Installations
Given the rising threat of cryptojacking malware, securing PostgreSQL installations is more critical than ever. Here are some essential measures that organizations can implement to protect their databases:
Strong Network Security
Exposing PostgreSQL directly to the internet is generally risky. Organizations should consider using firewalls, VPNs, or SSH tunnels to restrict access. These measures can significantly enhance security by limiting exposure to potential attackers.
Implement Strong Passwords
Ensuring that all users have strong passwords is a fundamental step in protecting against unauthorized access. Weak passwords are often the first line of defense that attackers exploit.
Utilize Audit Logs and Intrusion Detection Systems
Organizations should employ audit logs and intrusion detection systems to monitor access and detect any suspicious activities. These tools can provide critical insights into potential breaches and help organizations respond quickly.
Regular Backups and Feature Management
Secure backups are vital for recovery in the event of a successful attack. Additionally, organizations should disable unnecessary features in PostgreSQL to minimize potential attack vectors and protect against SQL injection vulnerabilities in applications.
Conclusion
As cryptojacking malware attacks on PostgreSQL databases continue to rise, it is imperative for organizations to take proactive steps to secure their systems. By implementing strong network security measures, utilizing robust passwords, and employing monitoring tools, organizations can significantly reduce their risk of falling victim to these opportunistic attacks.
“Some organizations or individuals may need to access their PostgreSQL databases from different locations or through different services, making direct internet exposure seem convenient.” ~ Assaf Morag
However, direct exposure is convenient. But it also has big risks. These risks are important and cannot be ignored.
For further details on securing PostgreSQL workloads, additional best practices can be found in the full report by Aqua Security.
For more intriguing insights into other STEM-related topics, visit ENTECH Online. Explore our digital magazine dedicated to inspiring teenagers and young adults to pursue their passions in science, technology, engineering, and mathematics.
