Re: Any industry best practise to overcome this specific malware "pg_mem"

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Adrian Klaver <[email protected]>
To: Bharani SV-forum <[email protected]>
To: Greg Sabino Mullane <[email protected]>
To: Ron Johnson <[email protected]>
To: [email protected] <[email protected]>
Subject: Re: Any industry best practise to overcome this specific malware "pg_mem"
Date: Wed, 2 Apr 2025 08:31:42 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>

On 4/2/25 08:18, Bharani SV-forum wrote:
> Hello MVP's
> Good Morning
> Any industry best practise to overcome this specific malware "pg_mem".
> 
> url = 
> https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/ <https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/;

 From above:

"The first stage is a simple brute force attack. We observe several 
login attempts to the PostgreSQL database being refused until the brute 
force attack successfully guesses the honeypot’s username and password 
(which were intentionally set to be easy to guess)."

After the threat actor successfully guess the user and password, the 
attack sequence commenced. The following set of SQL commands, were 
executed: ...
"

The first command being creating a role with SUPERUSER privileges which 
depends the hacked role being a SUPERUSER itself.

So the solution is basic practices:

1) Don't expose the database anymore then necessary. It other words keep 
access to the instance as restricted as possible, e.g. behind firewall.

2) Don't use easy passwords or use one or more of the auth methods shown 
here:

https://www.postgresql.org/docs/current/client-authentication.html

3) Try to avoid using SUPERUSER roles as login roles.

Keeping up to date is good practice, but in and of itself it will not 
prevent the attack shown.

> 
> We are up to date with the respective postgres server major version 13 
> and minor patch as .20
> i.e 13.20
> Also working on the steps for db migration from ver 13.X to ver 14.X
> We are also update with respective AWS based EC2 server based OS patches

-- 
Adrian Klaver
[email protected]

view thread (61+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Any industry best practise to overcome this specific malware "pg_mem"
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox