- Wiz researchers spot a new cryptojacking campaign
- He has targeted over 1,500 erroneous postgresql servers
- A variant of the infamous XMRIG minor has been deployed to try to fly the crypto
The hackers are targeting postgreSql servers wrongly erroneous and publicly exposed with cryptocurrency minors, making them practically unusable when they collect the electricity bill for the victims, warned the researchers.
Wiz threat research experts said the new attack was in fact a variant of an in progress campaign already observed, because threat actors (which they call Jinx-0126) target postgreql bodies configured with weak and devantable connection identification information. Once they find and connect them, they deploy the cryptomage XMRIG-C3.
XMRIG is an extremely popular cryptum, because it exploits the monero cryptocurrency, which is generally much more difficult to trace, compared to bitcoin or other exploitable currencies.
MINNER MONERO
A cryptocurrency minor uses almost all the computing power of the device, making it useless for almost everything else. This also means an increase in electricity consumption, which results in an inflated invoice at the end of the month.
Cybercriminals, on the other hand, send Monero directly to their portfolios, which they can sell on the free market for American dollars or any other cryptocurrency. In many cases, money is spent on other malicious campaigns.
Wiz says that the campaign was documented for the first time by Aqua Security researchers, but that it has since evolved.
The threat actors would have implemented additional defense mechanisms and deploy the unnecessary minor to avoid being spotted.
The researchers found that the threat actor had awarded a single mining worker to each victim, which makes it relatively easy to determine the number of devices probably compromised. Based on their analysis, the campaign probably had an impact on more than 1,500 aircraft.
“This suggests that the incorrect postgreSql bodies are very common, offering an entry point with little suspended fruit for opportunistic threat actors to exploit,” they said.
“In addition, our data shows that almost 90% of cloud environments self-host postgreSql, a third of which have at least one body exposed publicly to the Internet.”
Via The Hacker News
