CPU_HU: Fileless Cryptominer Targeting Exposed PostgreSQL with Over 1.5K Victims
Summary:
Wiz Threat Research uncovered a new variant of an ongoing campaign targeting misconfigured and publicly exposed PostgreSQL servers, primarily those with weak or easily guessable login credentials. The threat actor, identified as JINX-0126, is exploiting these vulnerabilities to gain unauthorized access to PostgreSQL instances and deploy XMRig-C3 cryptominers. According to researchers, the campaign has evolved with advanced defense evasion techniques, such as deploying binaries with unique hashes for each victim and executing the miner payload filelessly as a means to bypass detection by Cloud Workload Protection Platforms that rely on file hash reputation for threat identification.
The attackers use a series of sophisticated techniques to ensure persistence and avoid detection. After gaining access, they employ the COPY FROM PROGRAM function in PostgreSQL to drop and execute malicious payloads. The initial dropper script kills any existing cryptominers, then drops a malicious binary named pg_core. This binary is followed by an obfuscated Golang-based postmaster binary that mimics legitimate PostgreSQL processes to blend in with normal operations. The attacker also creates a superuser role for persistence and modifies critical configuration files like pg_hba.conf to prevent other attackers from accessing the server. To further ensure stealth, the attacker employs a cpu_hu binary that downloads and executes the XMRig-C3 miner, which is embedded with a unique configuration for each compromised system.
Security Officer Comments:
PostgreSQL servers are often misconfigured and left publicly exposed, making them attractive targets. According to Wiz Threat Research, nearly 90% of cloud environments host PostgreSQL instances, and around a third of those are publicly exposed, providing a significant attack surface for opportunistic threat actors. The use of weak credentials and exposed services creates an easy entry point, with researchers noting that the campaign has affected over 1,500 victims based on the analysis of connected wallets. Overall, the campaign's ability to use varying file hashes and unique configurations for each victim complicates detection and highlights the widespread vulnerability of misconfigured PostgreSQL instances.
Suggested Corrections:
Organizations should ensure that PostgreSQL instances are properly secured by disabling remote access or using firewalls to restrict access to trusted IP addresses. Strong, unique passwords should be enforced for all database accounts, and two-factor authentication should be considered. Regular patching of PostgreSQL and other services, along with proper configuration management, can further prevent the exploitation of known vulnerabilities. Additionally, organizations should continuously monitor for unusual activity, such as unexpected processes or changes to configuration files.
IOCs can be accessed here.
Link(s):
https://www.wiz.io/blog/postgresql-cryptomining
Wiz Threat Research uncovered a new variant of an ongoing campaign targeting misconfigured and publicly exposed PostgreSQL servers, primarily those with weak or easily guessable login credentials. The threat actor, identified as JINX-0126, is exploiting these vulnerabilities to gain unauthorized access to PostgreSQL instances and deploy XMRig-C3 cryptominers. According to researchers, the campaign has evolved with advanced defense evasion techniques, such as deploying binaries with unique hashes for each victim and executing the miner payload filelessly as a means to bypass detection by Cloud Workload Protection Platforms that rely on file hash reputation for threat identification.
The attackers use a series of sophisticated techniques to ensure persistence and avoid detection. After gaining access, they employ the COPY FROM PROGRAM function in PostgreSQL to drop and execute malicious payloads. The initial dropper script kills any existing cryptominers, then drops a malicious binary named pg_core. This binary is followed by an obfuscated Golang-based postmaster binary that mimics legitimate PostgreSQL processes to blend in with normal operations. The attacker also creates a superuser role for persistence and modifies critical configuration files like pg_hba.conf to prevent other attackers from accessing the server. To further ensure stealth, the attacker employs a cpu_hu binary that downloads and executes the XMRig-C3 miner, which is embedded with a unique configuration for each compromised system.
Security Officer Comments:
PostgreSQL servers are often misconfigured and left publicly exposed, making them attractive targets. According to Wiz Threat Research, nearly 90% of cloud environments host PostgreSQL instances, and around a third of those are publicly exposed, providing a significant attack surface for opportunistic threat actors. The use of weak credentials and exposed services creates an easy entry point, with researchers noting that the campaign has affected over 1,500 victims based on the analysis of connected wallets. Overall, the campaign's ability to use varying file hashes and unique configurations for each victim complicates detection and highlights the widespread vulnerability of misconfigured PostgreSQL instances.
Suggested Corrections:
Organizations should ensure that PostgreSQL instances are properly secured by disabling remote access or using firewalls to restrict access to trusted IP addresses. Strong, unique passwords should be enforced for all database accounts, and two-factor authentication should be considered. Regular patching of PostgreSQL and other services, along with proper configuration management, can further prevent the exploitation of known vulnerabilities. Additionally, organizations should continuously monitor for unusual activity, such as unexpected processes or changes to configuration files.
IOCs can be accessed here.
Link(s):
https://www.wiz.io/blog/postgresql-cryptomining