Introduction
A new wave of cyberattacks has emerged, targeting exposed PostgreSQL database instances in an effort to deploy cryptocurrency mining malware. According to cloud security firm Wiz, the campaign demonstrates advanced evasion tactics and leverages misconfigured databases to establish persistent, unauthorized access. This operation, attributed to a threat actor identified as JINX-0126, is an evolved variant of a campaign first discovered by Aqua Security in August 2024.
Evolving Tactics of the Threat Actor
The current campaign employs a sophisticated version of a malware strain known as PG_MEM. This iteration has been significantly enhanced to bypass detection mechanisms by cloud security tools. Notably, the attacker uses binaries that feature unique hashes for each compromised target and executes the miner payload in a fileless manner—making it harder for traditional cloud workload protection platforms (CWPP) to detect and remediate the threat using file hash reputation alone.
These updated techniques reflect a broader trend in cyber threat evolution, where attackers adapt quickly to existing security technologies, particularly in cloud environments where detection and prevention are more complex.
Vulnerability of Public PostgreSQL Instances
Wiz researchers Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski have reported that the attackers have compromised more than 1,500 PostgreSQL instances so far. These attacks rely on public-facing PostgreSQL servers that have been left exposed with weak or default credentials. This highlights the ongoing risks associated with misconfigured cloud resources and the increasing focus of cybercriminals on exploiting such opportunities.
Abuse of PostgreSQL Features for Exploitation
One of the most notable aspects of the attack is the misuse of the COPY ... FROM PROGRAM SQL command. This feature, originally intended for legitimate data import operations, is abused by the threat actor to execute arbitrary shell commands directly on the host system—effectively turning the PostgreSQL instance into a command execution platform.
Following initial access, the attacker conducts reconnaissance to better understand the host environment. A Base64-encoded shell script is then deployed, designed to eliminate rival cryptocurrency miners from the system and initiate the attack chain.
Payloads and Persistence Mechanisms
The attack downloads a binary named PG_CORE, along with a heavily obfuscated Golang-based binary called postmaster. This fake postmaster mimics the legitimate PostgreSQL multi-user server process, enabling it to blend into the system unnoticed.
To maintain long-term access, the malware sets up a cron job for persistence, creates a new role with elevated privileges, and writes an additional binary, cpu_hu, to the disk. The cpu_hu binary is used to download the XMRig cryptocurrency miner from GitHub. However, rather than writing the miner to disk, it is executed using the memfd fileless technique—a Linux-native method that loads executables directly into memory, leaving minimal forensic evidence.
Scale and Impact of the Campaign
Wiz noted that the attackers assign unique mining workers to each infected host, a sign of strategic resource management. Three cryptocurrency wallets associated with the campaign were identified, each hosting approximately 550 workers, suggesting that over 1,500 machines have been leveraged in this attack to mine cryptocurrency.
The financial motivation behind this attack is clear, but its implications extend beyond mere mining—highlighting the real risk posed by unsecured and misconfigured database services in production environments.
Conclusion
This ongoing campaign underscores the critical need for robust cloud security practices, particularly in relation to database configuration and access control. Organizations must ensure that publicly accessible PostgreSQL instances are properly secured with strong credentials, network restrictions, and continuous monitoring.
As attackers continue to adopt stealthier and more resilient techniques, defending against such campaigns requires a layered approach—combining vulnerability management, behavioral detection, and incident response preparedness. Failure to do so leaves cloud environments vulnerable to not just resource theft, but potential lateral movement and deeper compromise.
0 Comments