Thousands of PostgreSQL servers are being hijacked to mine crypto
Hackers are hunting for misconfigured servers and those with weak passwords.
- Researchers at Wiz spot a new cryptojacking campaign
- It has targeted more than 1,500 misconfigured PostgreSQL servers
- A variant of the infamous XMRig miner was deployed to try and steal crypto
Hackers are targeting misconfigured and publicly exposed PostgreSQL servers with cryptocurrency miners, rendering them practically unusable as they rake up the electricity bill for the victims, researchers have warned.
Wiz Threat Research experts said the new attack was actually a variant of an already observed, ongoing campaign, as the threat actors (which they call JINX-0126) are targeting PostgreSQL instances configured with weak and guessable login credentials. Once they find them and log in, they deploy the XMRig-C3 cryptominer.
XMRig is a hugely popular cryptominer, since it mines the Monero cryptocurrency, which is generally a lot more difficult to trace, compared to Bitcoin, or other mineable currencies.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
Mining Monero
A cryptocurrency miner uses up almost all of the device’s compute power, rendering it useless for pretty much anything else. This also means increased electricity consumption, which results in an inflated bill at the end of the month.
Cybercriminals, on the other hand, get Monero sent directly into their wallets, which they can sell on the open market for US dollars, or any other cryptocurrency. In many cases, the money gets spent on other malicious campaigns.
Wiz says that the campaign was first documented by researchers from Aqua Security, but it has since evolved.
The threat actors have allegedly implemented additional defense mechanisms and are deploying the miner filelessly in order to evade being spotted.
The researchers found that the threat actor assigned a unique mining worker to each victim, making it relatively easy to determine how many devices were likely compromised. Based on their analysis, the campaign likely impacted more than 1,500 devices.
“This suggests that misconfigured PostgreSQL instances are highly common, providing a low hanging fruit entry point for opportunistic threat actors to exploit,” they said.
“Furthermore, our data shows that nearly 90% of cloud environments self-host PostgreSQL instances, of which a third have at least one instance that is publicly exposed to the internet.”
Via The Hacker News
You might also like
- One of the biggest data leaks ever has just been revealed - here's what to do if you've been hit
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
