A troubling new cyber threat is targeting PostgreSQL databases, which many businesses rely on for their operations. Researchers at Wiz, a cloud security software provider, found and analyzed this malware, known as CPU_HU.
The CPU_HU threat exploits poorly secured PostgreSQL servers that are publicly accessible. Researchers estimate that over 1,500 victims have already been affected. As organizations increasingly use cloud services for their databases, ensuring these systems are secure is crucial.
How CPU_HU Works
The CPU_HU cryptominer operates by taking advantage of weak login credentials, allowing hackers to gain access and run unauthorized mining operations.
The CPU_HU attack flow typically follows a systematic approach.
Scanning for Vulnerabilities
Attackers begin by scanning the internet for publicly exposed PostgreSQL servers. They often look for default or weak credentials, such as “admin/admin” or “postgres/postgres,” which are common in basic or misconfigured environments.
Once they identify a vulnerable server, the attackers log in using these weak credentials, gaining unauthorized access to the database.
Executing Malicious Commands
After logging in, the malware uses the PostgreSQL COPY… FROM PROGRAM function, allowing it to execute arbitrary commands on the server. For instance, the attacker may run scripts to terminate existing cryptomining processes to ensure that their own software runs smoothly without conflict.
Deploying the Miner
The attacker then downloads and installs the CPU_HU cryptominer. This particular version is designed to be fileless, meaning it runs primarily in the server’s memory, making it harder for traditional security tools to detect it. IT also uses unique hashes for each instance, which helps it evade detection by signature-based security solutions.
To maintain access and persistence, the malware often creates a new superuser account within PostgreSQL or modifies existing roles to ensure the attackers can log back in even if the password is changed. This level of persistence allows attackers to continue their illicit mining operations without being disrupted.
Current research indicates that nearly 90% of cloud environments host PostgreSQL databases, with approximately one-third exposed to the internet. This makes them attractive targets for attackers. The ongoing CPU_HU campaign highlights the critical need for organizations to secure their PostgreSQL instances.
The consequences of falling victim to this type of attack can be significant. Organizations may face unexpected server performance issues due to the high resource consumption of mining operations, leading to degraded service quality. If attackers gain sufficient access, they could potentially compromise sensitive data stored within the database, resulting in data breaches.
Protecting Your PostgreSQL Instances
To safeguard your PostgreSQL servers from threats like CPU_HU, consider implementing the following best practices:
- Use strong, unique passwords that don’t include only dictionary words and are hard to guess. Avoid using predetermined or default credentials that may be common knowledge.
- Limit public access to your database. If your PostgreSQL database doesn’t need to be accessed from the internet, consider restricting public access. Firewalls help you control incoming traffic and let you allow only only trusted IPs.
- Keep system and PostgreSQL up to date. Regular updates ensure your systems have the latest security patches, eliminating any vulnerabilities that attackers can exploit.
- Implement network security measures for an additional layer of protection against unauthorized access, such as using Virtual Private Networks (VPNs) to secure communications with your PostgreSQL server.
- Monitor user activity regularly, including logs for unusual access suspicious activity patterns. Setting alerts for actions such as failed, excessive or even successful, login attempts, or configuration changes can help you catch intrusion attempts.
Conduct periodic security audits to assess your system and PostgreSQL configuration and overall posture. Remediate and patch any misconfigurations or vulnerabilities found before they can be exploited, utilizing security experts or professional services when needed.
The rise of threats like CPU_HU serves as a reminder of the importance of cybersecurity for businesses and server and database administrators alike.
By taking proactive measures and staying informed, organizations can help protect their PostgreSQL instances from cryptomining threats and other security vulnerabilities.
Leave a Reply