Ongoing Cyber Attack Targets PostgreSQL Instances for Crypto Mining

By /

Listen to this Post

A sophisticated cyber campaign is actively exploiting publicly exposed PostgreSQL databases, hijacking them to deploy cryptocurrency mining malware. Security researchers have linked this campaign to a threat actor dubbed JINX-0126, with reports suggesting that over 1,500 PostgreSQL servers have already fallen victim.

The attack, first detected by Aqua Security in August 2024, has since evolved into a more sophisticated form, now bypassing traditional detection mechanisms. Researchers from Wiz uncovered how the attackers use advanced evasion techniques and exploit PostgreSQL’s built-in COPY … FROM PROGRAM function to execute malicious commands directly on compromised hosts.

This article provides an in-depth look at how these attacks work, their implications, and what security professionals need to do to protect PostgreSQL environments.

The Mechanics of the Attack

  1. Initial Exploitation – Attackers target PostgreSQL instances that are publicly accessible and have weak or default credentials.
  2. Command Execution via SQL Functions – By abusing PostgreSQL’s COPY … FROM PROGRAM command, attackers execute arbitrary shell commands on the host.
  3. Payload Deployment – A Base64-encoded payload is delivered, which upon execution:

– Eliminates competing cryptocurrency miners.

– Drops a malicious binary called PG_CORE.

  • Downloads an obfuscated Golang binary named postmaster, masquerading as a legitimate PostgreSQL service.
  1. Persistence Mechanisms – The malware ensures long-term access by:

– Setting up a cron job for automatic execution.
– Creating a new PostgreSQL role with elevated privileges.
– Deploying another binary called cpu_hu, responsible for downloading and launching the XMRig cryptocurrency miner.
5. Fileless Execution for Evasion – The miner is executed filelessly using the memfd technique, making it harder for security tools to detect.

Scale and Impact of the Attack

  • At least 1,500 PostgreSQL instances have been compromised.
  • Attackers use unique mining worker IDs per victim, preventing easy attribution.
  • Researchers found three different cryptocurrency wallets linked to the threat actor, each managing about 550 mining workers, confirming the widespread nature of the attack.

With cryptocurrency mining being a resource-intensive process, affected servers will experience:

  • Degraded performance – Reduced availability for legitimate database operations.
  • Increased cloud costs – Since many of these attacks target cloud-hosted PostgreSQL instances, organizations may face unexpected high bills due to excessive CPU usage.
  • Security risks – Attackers gaining initial access can pivot to further exploit the compromised infrastructure.

What Undercode Say: Analyzing the Attack and Its Broader Implications

This incident highlights several key security failures that allowed attackers to compromise PostgreSQL servers at scale. Here’s a breakdown of the main concerns:

1. PostgreSQL Misconfigurations Are a Major Risk

The attack specifically targets poorly secured PostgreSQL instances—those with weak passwords, publicly accessible endpoints, and improper network segmentation. Organizations using PostgreSQL should:
– Implement strong authentication mechanisms (e.g., multi-factor authentication, IP whitelisting).
– Disable or limit features like COPY … FROM PROGRAM, which allows direct shell command execution.
– Regularly audit database permissions to prevent privilege escalation.

  1. The Evolution of Fileless Malware in Cloud Environments
    Fileless malware attacks are becoming a preferred method for cybercriminals, as traditional endpoint detection and antivirus tools rely on scanning files for known malicious signatures. The memfd execution technique used here makes it difficult for cloud security solutions to detect and stop the malware.

Security teams must adopt behavior-based detection methods that look for anomalies in process execution rather than just scanning files for known threats.

3. The Financial Incentive Behind Crypto-Jacking

The core motivation of this attack is crypto-jacking—stealing processing power from compromised machines to mine cryptocurrencies like Monero (XMR). Since Monero offers anonymous transactions, cybercriminals prefer it over other cryptocurrencies for illicit activities.

Organizations should monitor:

  • Unexpected CPU spikes that could indicate unauthorized mining activity.
  • Unusual outgoing network traffic directed at known mining pools.

4. The Larger Threat Landscape

This campaign is part of a broader trend where attackers target misconfigured cloud services, including:

– Exposed Redis and Elasticsearch instances

– Kubernetes clusters with weak security controls

– Docker containers left open to the internet

Cybercriminals exploit these weaknesses automatically using scanning tools, making prevention the best defense rather than relying on detection after a compromise.

5. The Need for Proactive Security Measures

To mitigate risks, companies using PostgreSQL should:

  • Apply the principle of least privilege – Ensure only necessary permissions are granted to database roles.
  • Monitor logs for suspicious activity – Unexpected use of COPY … FROM PROGRAM should be flagged immediately.
  • Use cloud security tools with runtime protection – Solutions that detect unusual behavior (e.g., rapid process spawning, high CPU usage) can prevent attacks like these before they escalate.

Fact Checker Results

  • PostgreSQL Exploitation is a Known Issue – PostgreSQL’s COPY … FROM PROGRAM command has been previously abused in similar attacks, reinforcing the need for stronger security controls.
  • 1,500 Infected Machines Estimate is Plausible – Based on mining worker IDs and identified wallets, the scale of the attack seems credible.
  • Monero (XMR) is Commonly Used in Crypto-Jacking Attacks – Attackers favor Monero due to its privacy-focused features, making it a logical choice for this operation.

By securing PostgreSQL instances properly, organizations can prevent unauthorized access and avoid becoming part of an underground mining operation.

References:

Reported By: https://thehackernews.com/2025/04/over-1500-postgresql-servers.html
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: