A massive cyberattack campaign has successfully breached more than 1,500 PostgreSQL database servers to secretly mine cryptocurrency, according to cloud security researchers at Wiz. The ongoing attacks, attributed to a threat actor known as JINX-0126, specifically target PostgreSQL instances that are exposed to the internet and protected by weak passwords.
The attackers have implemented sophisticated evasion techniques, including a fileless approach to deploy cryptocurrency mining malware. This method makes the attack particularly difficult to detect since it doesn't leave traditional file traces that security tools typically scan for.
The attack chain begins when hackers exploit poorly secured PostgreSQL services using the "COPY FROM PROGRAM" SQL command to run unauthorized shell commands. Once inside, they conduct system reconnaissance and deploy a Base64-encoded script that eliminates competing crypto miners and installs malicious software.
The campaign utilizes multiple components, including a deceptive Golang binary called "postmaster" that masquerades as legitimate PostgreSQL software. This program establishes persistence through scheduled tasks and creates privileged user accounts. Another component, "cpu_hu," downloads and executes the XMRig cryptocurrency miner directly in memory.
Security researchers have identified three distinct cryptocurrency wallets associated with the operation, each containing approximately 550 mining workers. This indicates the extensive reach of the campaign across compromised systems.
The current attack appears to be an evolution of a previously identified campaign from August 2024 that used malware called PG_MEM. The newer version demonstrates more advanced capabilities in evading detection while maintaining its primary goal of unauthorized cryptocurrency mining.
Organizations running PostgreSQL servers are advised to implement strong authentication measures and regularly audit their database security configurations to prevent unauthorized access.