An ongoing campaign targeting exposed PostgreSQL instances aims to deploy cryptocurrency miners through weakly configured services. Cloud security firm Wiz highlights that this sophisticated attack, attributed to threat actor JINX-0126, employs evasion techniques like unique hashes and fileless execution to avoid detection. The campaign has reportedly compromised over 1,500 systems by exploiting the COPY ... FROM PROGRAM SQL command, allowing attackers to execute arbitrary commands. Victims experience reconnaissance efforts and the insertion of binaries that facilitate persistent mining activities.
The threat actor is assigning a unique hash per target and executing the miner payload filelessly - likely to evade detection by cloud protection solutions.
Publicly-exposed PostgreSQL instances with weak or predictable credentials are prevalent enough to become an attack target for opportunistic threat actors.
The campaign has likely claimed over 1,500 victims to date, indicating the scale of the issue with government and enterprise PostgreSQL services.
This campaign abuses the COPY ... FROM PROGRAM SQL command to execute shell commands, exploiting weak PostgreSQL configurations.
Collection
[
|
...
]