Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u00rC-00A2WB-HN for pgsql-general@arkaria.postgresql.org; Wed, 02 Apr 2025 16:22:26 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u00rB-00FbkG-8h for pgsql-general@arkaria.postgresql.org; Wed, 02 Apr 2025 16:22:25 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u00rA-00Fbk8-T8 for pgsql-general@lists.postgresql.org; Wed, 02 Apr 2025 16:22:24 +0000 Received: from mail-oi1-x22f.google.com ([2607:f8b0:4864:20::22f]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1u00r8-002ztl-1u for pgsql-general@postgresql.org; Wed, 02 Apr 2025 16:22:24 +0000 Received: by mail-oi1-x22f.google.com with SMTP id 5614622812f47-3fec2899574so4228852b6e.2 for ; Wed, 02 Apr 2025 09:22:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1743610940; x=1744215740; darn=postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=pJ3Rq4ibolZkZ82z6VFUv9KSTHdbKEZ96vckRA5GMsU=; b=G2UtMjcnhqXAhzfUtrL/sHGd34cx5PPEOKhbBWqtnAd0BNh1r6Bbm+JHqVbRs3rRRF tfw52bzueysxDe7Ef5Dz1Pt8vF6tdDX9RKVMwyMK8tTzeAArCAJ+zsImrVHLVobLPwoX JE30KYY4J2hwtSfRuULw3hAX05l2LIFag11T6AEHpmxVrOIHOiRzMn9WEhMlFXygk5V0 oTBGw/IDJwz0jGwL2Wt3t3zDVV6nCIJUQttVx14d2dAibBbSksBb1WERi6yxpxPUnaRw iUuTLpuX3Kxh+JFybib94Y3Xc+vdZ1ltGCjDVIoGN9I3Qro8Go60k1Eo3MRWxWqauwXx UvnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743610940; x=1744215740; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pJ3Rq4ibolZkZ82z6VFUv9KSTHdbKEZ96vckRA5GMsU=; b=AKDTV6f2wELrCfhDX/GyezxaDGvB/P/4hWPeYiTz5nH6OfYs2HJW5U4gKYgGNMAep7 Gh/DvnwyimSCB5boPcBjlHbLb0BvZN0l0VGF9+ooquE4toyPHs/NRdBS5r5YBkJ3XWHL FFLQNd7IRqLnoX8Xsn+nMFIIsnIjmwj/k2MS/d6UgQ+SE9kXfrlTa8y/z6Xp5uP2l6lb qtfJ8iJKUnDNla/SNfoyD3oym7wlKXvqvkoWnLIS8B75oXIEFKSLQmzwXzKvw7LRdEXE sJbeEQZszRJBSC7l4BEZGrKBJSj5Q5nWosvDBVsfsPgnGjNTETvw0rlBGTPisvhEkKOY BCyA== X-Gm-Message-State: AOJu0Yy/bezcTQbXZquhqXcc//ZKeEfOiAottEJsOAORk0+Z1nYZvKle 0Nnv/JbdZgLJmHKlVzvmHlZ9zzKuO1JJJ9TdV2Q1Et4iI64JCx5Xy7rIXSv6zlA/ZURCuHtJKCF Sua3nQsF/TFmYurMtSZwBkqVKPAuEN8Xr X-Gm-Gg: ASbGncsCW7ejl8zPB/FRRVvOdQNqPmEvtNB/1aRew2yFSGHw31g9gJanhW4WftCxSPw IOFZKRChLxdN7L38YtxzPJxnLSmJ7eS+tYcOsulSwT9rkuVqva3n8y4Hy7NeqOZhmfqXpcgofGw FqmTUCIK1SI9FbgOxMf/FEj+thA/y845npfINRSf/HrTYEXNb3Sqg6Q6C7TB8U X-Google-Smtp-Source: AGHT+IGlB5L9TYmVVTfj18qyoCbIYshLSyFKLZB8BDJ0ETw36OUANe/j6Edog0vCJxEWmEwGDEpaERZvqY7oN44EC5E= X-Received: by 2002:a05:6808:211f:b0:3f7:e860:b5f3 with SMTP id 5614622812f47-400362186e5mr1692700b6e.22.1743610939970; Wed, 02 Apr 2025 09:22:19 -0700 (PDT) MIME-Version: 1.0 References: <0558ddd4d71641bdb41fa49b2425f73c@safrangroup.com> <132487461.4068668.1737741687606@mail.yahoo.com> <0dc06cb7-33cc-43ba-a95f-535fdf0a0439@aklaver.com> <1751608443.5432365.1738081421269@mail.yahoo.com> <74599d1d-c8a2-4e59-a50d-019dcc973de8@aklaver.com> <200665967.5560583.1738095230696@mail.yahoo.com> <21b5d62a-19d1-413f-9d5e-d681cd2bb91b@aklaver.com> <47454513.6047834.1738179914107@mail.yahoo.com> <1841861276.9581730.1738888679871@mail.yahoo.com> <56243553.9616888.1738893835649@mail.yahoo.com> <940531722.732202.1739711614045@mail.yahoo.com> <6f44101c-ce01-478e-9fb1-138a10f358d9@aklaver.com> <688728245.763369.1739723234892@mail.yahoo.com> <1530912903.785341.1739727814631@mail.yahoo.com> <1995396392.4440995.1740508041256@mail.yahoo.com> <849879720.83739.1741119882239@mail.yahoo.com> <80651822.852134.1743607125222@mail.yahoo.com> <48b5c3db-5836-4353-8131-a9e5bedea1ac@aklaver.com> In-Reply-To: <48b5c3db-5836-4353-8131-a9e5bedea1ac@aklaver.com> From: Ron Johnson Date: Wed, 2 Apr 2025 12:22:08 -0400 X-Gm-Features: AQ5f1Jqcf0zLWpBfKfuDlhgdJFcumIanJLv3QRJwIFn3rHAznE32sypKBqC3lNM Message-ID: Subject: Re: Any industry best practise to overcome this specific malware "pg_mem" To: "pgsql-general@postgresql.org" Content-Type: multipart/alternative; boundary="000000000000b41cc80631ce0eab" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000b41cc80631ce0eab Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Apr 2, 2025 at 11:31=E2=80=AFAM Adrian Klaver wrote: > On 4/2/25 08:18, Bharani SV-forum wrote: > > Hello MVP's > > Good Morning > > Any industry best practise to overcome this specific malware "pg_mem". > > > > url =3D > > > https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-proc= esses/ > < > https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-proc= esses/ > > > > From above: > > "The first stage is a simple brute force attack. We observe several > login attempts to the PostgreSQL database being refused until the brute > force attack successfully guesses the honeypot=E2=80=99s username and pas= sword > (which were intentionally set to be easy to guess)." > > After the threat actor successfully guess the user and password, the > attack sequence commenced. The following set of SQL commands, were > executed: ... > " > > The first command being creating a role with SUPERUSER privileges which > depends the hacked role being a SUPERUSER itself. > > > So the solution is basic practices: > > 1) Don't expose the database anymore then necessary. It other words keep > access to the instance as restricted as possible, e.g. behind firewall. > Besides deny-by-default firewalls, be strict with pg_hba.conf entries. > 2) Don't use easy passwords openssl rand -base64 24 WordList=3D($(egrep '^.{4,9}$' /usr/share/dict/words | shuf -n2 --random-source=3D/dev/urandom | tr -d [:punct:] | sort)); First=3D${WordList[0]^}; Second=3D${WordList[1]}; Number=3D`printf "%02d\n" $(shuf -i00-99 -n1)`; echo ${First}.${Second}${Number} --=20 Death to , and butter sauce. Don't boil me, I'm still alive. lobster! --000000000000b41cc80631ce0eab Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Wed, Apr 2, 2025 at 11:31=E2=80=AFAM A= drian Klaver <adrian.klaver= @aklaver.com> wrote:
On 4/2/25 08:18, B= harani SV-forum wrote:
> Hello MVP's
> Good Morning
> Any industry best practise to overcome this specific malware "pg_= mem".
>
> url =3D
> https://www.aqua= sec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/ <https://www.aquasec.com/= blog/pg_mem-a-malware-hidden-in-the-postgres-processes/>

=C2=A0From above:

"The first stage is a simple brute force attack. We observe several login attempts to the PostgreSQL database being refused until the brute force attack successfully guesses the honeypot=E2=80=99s username and passw= ord
(which were intentionally set to be easy to guess)."

After the threat actor successfully guess the user and password, the
attack sequence commenced. The following set of SQL commands, were
executed: ...
"

The first command being creating a role with SUPERUSER privileges which depends the hacked role being a SUPERUSER itself.


So the solution is basic practices:

1) Don't expose the database anymore then necessary. It other words kee= p
access to the instance as restricted as possible, e.g. behind firewall.
=

Besides deny-by-default firewalls, be stri= ct with pg_hba.conf entries.
=C2=A0
2) Don't use easy passwords

openssl rand -base64 24

WordList= =3D($(egrep '^.{4,9}$' /usr/share/dict/words | shuf -n2 --random-so= urce=3D/dev/urandom | tr -d [:punct:] | sort));
First=3D${WordList[0]^};=
Second=3D${WordList[1]};
Number=3D`printf "%02d\n" $(shuf = -i00-99 -n1)`;
echo ${First}.${Second}${Number}

=
--
Death to <Redacted>, and = butter sauce.
Don't boil me, I'm still alive.
<= Redacted> lobster!
--000000000000b41cc80631ce0eab--