Exposed PostgreSQL situations are the goal of an continuing strategy designed to gain unauthorized access and build crypto miners.
Cloud security firm Wiz said the action is a variation of an intrusion set that was first identified by Aqua Security in August 2024 that involved the use of a malicious strain dubbed . The strategy has been attributed to a threat professional Wiz tracks as JINX-0126.
” The threat actor has since evolved, implementing security evasion techniques such as deploying files with a special hash per target and executing the miner payload filelessly – possible to escape detection by]cloud workload protection platform ] solutions that rely solely on file hash reputation”, experts Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski .
Wiz has also revealed that the campaign has likely claimed over 1, 500 victims to date, indicating that publicly-exposed PostgreSQL instances with weak or predictable credentials are prevalent enough to become an attack target for opportunistic threat actors.
The most distinctive aspect of the campaign is the abuse of the COPY… FROM PROGRAM SQL command to execute arbitrary shell commands on the host.
The access afforded by the successful exploitation of weakly configured PostgreSQL services is used to conduct preliminary reconnaissance and drop a Base64-encoded payload, which, in reality, is a shell script that kills competing cryptocurrency miners and drops a binary named PG_CORE.
Also downloaded to the server is an obfuscated Golang binary codenamed postmaster that the legitimate PostgreSQL multi-user database server. It’s designed to set up persistence on the host using a cron job, create a new role with elevated privileges, and write another binary called cpu_hu to disk.
cpu_hu, for its part, downloads the latest version of the from GitHub and launches it filelessly via a known Linux fileless technique referred to as .
” The threat actor is assigning a unique mining worker to each victim”, Wiz said, adding it identified three different wallets linked to the threat actor. ” Each wallet had approximately 550 workers. Combined, this suggests that the campaign could have leveraged over 1, 500 compromised machines”.