Summary: An ongoing campaign targets exposed PostgreSQL instances to gain unauthorized access for deploying cryptocurrency miners, attributed to the threat actor JINX-0126. The campaign, utilizing advanced evasion techniques, has reportedly affected over 1,500 victims who had weak or predictable credentials. Key exploitations include executing arbitrary shell commands through the COPY β¦ FROM PROGRAM SQL command and deploying a malicious Golang binary that installs a persistent cryptocurrency miner on compromised systems.
Affected: PostgreSQL database instances
Keypoints :
- Campaign targets weakly configured and publicly exposed PostgreSQL instances.
- Threat actor JINX-0126 employs fileless techniques and unique hashes for evasion.
- The use of the COPY β¦ FROM PROGRAM command allows execution of arbitrary shell commands.
- Malicious payloads include a shell script to eliminate competing miners and install PG_CORE.
- An obfuscated Golang binary mimics legitimate PostgreSQL processes for persistence.
- Each victim is assigned a unique mining worker, with three wallets linked to the campaign, suggesting the exploitation of 1,500+ machines.
Source: https://thehackernews.com/2025/04/over-1500-postgresql-servers.html
Views: 10