Ethical Hacking News
Cloud security experts are warning of a rising threat actor known as JINX-0126, who has been exploiting publicly-exposed PostgreSQL instances with weak or predictable credentials. The malicious actors behind this campaign have been utilizing fileless techniques to deploy cryptocurrency miners on compromised servers, leaving a trail of devastation in their wake.
Researchers at Wiz have exposed a campaign targeting publicly-exposed PostgreSQL instances with weak or predictable credentials. The threat actor, JINX-0126, is using fileless techniques to deploy cryptocurrency miners on compromised servers and execute arbitrary shell commands. The campaign has claimed over 1,500 victims to date, highlighting a concerning prevalence of weakly configured PostgreSQL instances. Fileless techniques make detection and remediation significantly more challenging for organizations. Threat actors are leveraging compromised machines in large numbers, underscoring the severity of this threat.
In a recent development that has left cloud security experts scrambling, researchers at Wiz have exposed an ongoing campaign targeting publicly-exposed PostgreSQL instances with weak or predictable credentials. The malicious actors behind this campaign, identified as threat actor JINX-0126, have been utilizing a variant of malware dubbed PG_MEM and leveraging fileless techniques to deploy cryptocurrency miners on compromised servers.
The campaign's most distinctive aspect is the abuse of the COPY ... FROM PROGRAM SQL command to execute arbitrary shell commands on the host. This exploitation allows the attackers to gain access to the PostgreSQL instance, conduct preliminary reconnaissance, and drop a Base64-encoded payload that installs a shell script designed to kill competing cryptocurrency miners and establish persistence on the compromised server.
Further analysis reveals that the threat actor has implemented defense evasion techniques such as deploying binaries with unique hashes per target, executing payloads filelessly, and utilizing a known Linux fileless technique referred to as memfd to launch XMRig miners without leaving behind any additional files. This approach allows them to evade detection by cloud workload protection platforms that rely solely on file hash reputation.
According to Wiz's researchers, Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski, the campaign has likely claimed over 1,500 victims to date, highlighting a concerning prevalence of weakly configured PostgreSQL instances that can be exploited by opportunistic threat actors. The most striking aspect of this campaign is its use of fileless techniques, which allow attackers to deploy malware without leaving behind any additional files, making detection and remediation significantly more challenging.
Furthermore, the researchers have identified three distinct wallets linked to the threat actor, with each wallet containing approximately 550 mining workers combined. This suggests that the campaign could have leveraged over 1,500 compromised machines, underscoring the severity of this threat.
The abuse of PostgreSQL instances by malicious actors is not a new phenomenon, but the use of fileless techniques and the deployment of cryptocurrency miners on compromised servers represents a significant escalation in the tactics employed by threat actors. As such, it is essential for organizations to ensure that their PostgreSQL instances are properly secured, with strong credentials and regular security updates.
In addition to securing PostgreSQL instances, organizations should also implement robust cloud security measures to prevent similar attacks from exploiting vulnerabilities in workload protection platforms. By prioritizing cloud security and staying vigilant for emerging threats, organizations can mitigate the risks associated with fileless cryptocurrency mining campaigns and protect their assets from exploitation.
The rise of fileless cryptocurrency mining campaigns highlights the need for organizations to prioritize cloud security and stay informed about emerging threats. As threat actors continue to evolve and adapt, it is essential for organizations to remain proactive in addressing vulnerabilities and implementing robust security measures to prevent similar attacks from compromising their systems.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Devastating-Rise-of-Fileless-Cryptocurrency-Mining-Campaigns-A-Threat-Actors-Evolutionary-Escalation-ehn.shtml
https://thehackernews.com/2025/04/over-1500-postgresql-servers.html
https://undercodenews.com/ongoing-cyber-attack-targets-postgresql-instances-for-crypto-mining/
Published: Tue Apr 1 13:06:40 2025 by llama3.2 3B Q4_K_M
