1,500+ PostgreSQL Servers Compromised With Fileless Malware Attack

This campaign underscores critical cloud security gaps: 90% of environments host PostgreSQL instances, many with inadequate access controls. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Security analysts attribute the campaign to threat actor JINX-0126, which has refined its tactics since initial observations by Aqua Security in late 2024. The attack leverages fileless execution techniques and credential brute-forcing to deploy Monero (XMR)-mining malware while evading traditional cloud workload protection (CWPP) tools. The attackers exploit PostgreSQL instances exposed online with weak or default credentials, a configuration affecting 30% of cloud-hosted PostgreSQL servers. Wiz Threat Research analysts identified three cryptocurrency wallets linked to the campaign, each showing ~550 active mining workers via C3Pool telemetry. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. A widespread cryptojacking campaign targeting poorly secured PostgreSQL database servers has impacted over 1,500 victims globally. Each binary contains unique configuration blobs encrypted with AES-256, ensuring every victim’s payload has distinct hashes to evade signature-based detection. Companies evaluate their cybersecurity posture and protect network infrastructure implementations by employing cybersecurity experts to undertake security assessments. After gaining access, they abuse PostgreSQL’s COPY FROM PROGRAM function to execute shell commands, bypassing typical file-write detection methods. With opportunistic attacks increasingly targeting databases, organizations must prioritize configuration hygiene alongside behavioral threat detection. This enables the deployment of a multi-stage payload chain featuring UPX-packed Golang binaries masquerading as legitimate PostgreSQL processes. While financially motivated, the attack’s fileless design and system reconfigurations create persistent backdoors for potential escalation to ransomware or data exfiltration. The attack begins with credential spraying against PostgreSQL’s default postgres account and other common usernames. Wiz recommends enforcing network-level restrictions, auditing credentials, and implementing runtime monitoring for memfd-based execution – a key IoC flagged in their advisory.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Apr 2025 09:15:20 +0000