Thousands of PostgreSQL servers are being hijacked to mine crypto
- Researchers at Wiz spot a new cryptojacking campaign
- It has targeted more than 1,500 misconfigured PostgreSQL servers
- A variant of the infamous XMRig miner was deployed to try and steal crypto
Hackers are targeting misconfigured and publicly exposed PostgreSQL servers with cryptocurrency miners, rendering them practically unusable as they rake up the electricity bill for the victims, researchers have warned.
Wiz Threat Research experts said the new attack was actually a variant of an already observed, ongoing campaign, as the threat actors (which they call JINX-0126) are targeting PostgreSQL instances configured with weak and guessable login credentials. Once they find them and log in, they deploy the XMRig-C3 cryptominer.
XMRig is a hugely popular cryptominer, since it mines the Monero cryptocurrency, which is generally a lot more difficult to trace, compared to Bitcoin, or other mineable currencies.
Mining Monero
A cryptocurrency miner uses up almost all of the device’s compute power, rendering it useless for pretty much anything else. This also means increased electricity consumption, which results in an inflated bill at the end of the month.
Cybercriminals, on the other hand, get Monero sent directly into their wallets, which they can sell on the open market for US dollars, or any other cryptocurrency. In many cases, the money gets spent on other malicious campaigns.
Wiz says that the campaign was first documented by researchers from Aqua Security, but it has since evolved.
The threat actors have allegedly implemented additional defense mechanisms and are deploying the miner filelessly in order to evade being spotted.
The researchers found that the threat actor assigned a unique mining worker to each victim, making it relatively easy to determine how many devices were likely compromised. Based on their analysis, the campaign likely impacted more than 1,500 devices.
“This suggests that misconfigured PostgreSQL instances are highly common, providing a low hanging fruit entry point for opportunistic threat actors to exploit,” they said.
“Furthermore, our data shows that nearly 90% of cloud environments self-host PostgreSQL instances, of which a third have at least one instance that is publicly exposed to the internet.”
Via The Hacker News
You might also like
Researchers at Wiz spot a new cryptojacking campaign It has targeted more than 1,500 misconfigured PostgreSQL servers A variant of the infamous XMRig miner was deployed to try and steal crypto Hackers are targeting misconfigured and publicly exposed PostgreSQL servers with cryptocurrency miners, rendering them practically unusable as they rake…
