More than 1,500 internet-exposed PostgreSQL instances have been compromised with cryptocurrency mining malware as part of an ongoing JINX-0126 attack campaign, which is an evolution of PG_MEM malware activity initially detected by Aqua Security in August, The Hacker News reports.
Attackers infiltrate PostgreSQL servers with weak credentials and exploit the "COPY ... FROM PROGRAM SQL" command to facilitate arbitrary command execution and reconnaissance prior to the deployment of a shell script that ends other cryptominers and delivers the pg_core binary, according to an analysis from Wiz. Another Golang binary spoofing the PostgreSQL multi-user database server dubbed "postmaster" is then downloaded to enable persistence, escalate privileges, and write a separate binary that downloads and executes the newest XMRig cryptominer variant. JINX-0126 "has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly likely to evade detection by [cloud workload protection platform] solutions that rely solely on file hash reputation," said Wiz researchers.
