Malware exploits weak passwords in PostgreSQL for cryptojacking

Up to 800,000 internet-connected databases could be vulnerable to crypto-mining malware that will use their computing capacity.

Malware exploits weak passwords in PostgreSQL for cryptojacking

New malware has been uncovered that targets databases to install cryptocurrency mining software. Dubbed PG_MEM, the malware could potentially hit any of the more than 800,000 PostgreSQL-managed databases if they have weak passwords.

According to cloud-native cybersecurity company Aqua, PG_MEM is installed after a brute force attack finds a weak password on a PostgreSQL-managed database. PostgreSQL is a popular object-relational database management system that is used by databases with internet connectivity. There are well over 800,000 such databases, with almost 300,000 located in the United States and over 100,000 in Poland.

Malware sends spare compute to a mining pool

Once the threat actor has gained entry to a database, it creates a new user with login capability and high privileges. It downloads two files from the threat actor’s server and even manages to cover its tracks and block entry to other threat actors eager to exploit the database’s computing capacity. This could be happening often:

“This campaign is exploiting internet facing Postgres databases with weak password. Many organizations connect their databases to the internet, weak password is a result of a misconfiguration, and lack of proper identity controls. This is not a rare issue and many large organizations suffer from these problems.”

The malware, once operational, connects to a mining pool and uses the host’s computing resources, combined with those of other miners, to increase the chances of mining a new block.

PG_MEM attack flow. Source: Aqua Security

Related: Windows tool targeted by hackers deploys crypto-mining malware

A growing problem — or solution

The use of malware to mine cryptocurrency is known as cryptojacking. Cryptojacking malware can be installed on personal computers as well. It is becoming more frequent. Cointelegraph noted that crypto malware attacks rose by 400% year-on-year in the first half of 2023.

Source: Aqua Security

Unused capacity can be harnessed by rightful hardware users for mining or other uses. Decentralized cloud infrastructure provider Aethir, for example, operates a GPU-as-a-service decentralized physical infrastructure network (DePIN) that sources compute from tier 3 and tier 4 data centers to provide inexpensive, scalable computing service to its clients.

Related Articles

Responses