Malware Infects Databases With Vulnerable Passwords to Install Crypto Mining Software

• Bad actors are now infecting PostgreSQL-enabled internet-connected devices with untraceable mining malware.
• 800,000 devices face the threat of being cryptojacked by this malware.

New malware infects PostgreSQL-enabled databases with weak passwords, harnessing their resources and coordinating them into a crypto-mining network. About 800,000 databases can be infected. 300,000 are located in the US and 100,000 in Poland.

Cloud security company Aqua Security revealed the malware’s existence in a blog post. “Aqua Nautilus researchers have uncovered PG_MEM, a new PostgreSQL malware, that brute forces its way into PostgreSQL databases, delivers payloads to hide its operations, and mines cryptocurrency.”

The attack involved bad actors brute forcing their way into a PostgreSQL-enabled database by guessing its password and installing two files. These files take over these database systems, channeling their resources into mining networks managed by bad actors. Furthermore, the files can also prevent other bad actors from utilizing these databases, evade detection from scans, and control all actions of the databases.

Source: Aqua Security

Gaining control of devices to use them for mining activity is referred to as cryptojacking. Beyond such databases, personal devices can also be cryptojacked. With PostgreSQL databases, often called Postgres, their robustness leaves no other way for attackers to get through but brute forcing their way in. So, Postgres databases with weak passwords can find themselves on the chopping block.

Postgres Hacks Are Not Uncommon

“This campaign is exploiting internet-facing Postgres databases with weak password. Many organizations connect their databases to the internet, weak password is a result of a misconfiguration, and lack of proper identity controls. This is not a rare issue and many large organizations suffer from these problems,” Aqua Security’s blog read.

Getting more resources on board increases miners’ chances to mine blocks, motivating some to take measures like this to increase their block rewards. Such attacks and other malware-related ones have shot up in 2024, with the first half of the year registering a 400% increase.