On 4/2/25 08:18, Bharani SV-forum wrote:
> Hello MVP's
> Good Morning
> Any industry best practise to overcome this specific malware "pg_mem".
>
> url =
> https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/
<https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/>
From above:
"The first stage is a simple brute force attack. We observe several
login attempts to the PostgreSQL database being refused until the brute
force attack successfully guesses the honeypot’s username and password
(which were intentionally set to be easy to guess)."
After the threat actor successfully guess the user and password, the
attack sequence commenced. The following set of SQL commands, were
executed: ...
"
The first command being creating a role with SUPERUSER privileges which
depends the hacked role being a SUPERUSER itself.
So the solution is basic practices:
1) Don't expose the database anymore then necessary. It other words keep
access to the instance as restricted as possible, e.g. behind firewall.
2) Don't use easy passwords or use one or more of the auth methods shown
here:
https://www.postgresql.org/docs/current/client-authentication.html
3) Try to avoid using SUPERUSER roles as login roles.
Keeping up to date is good practice, but in and of itself it will not
prevent the attack shown.
>
> We are up to date with the respective postgres server major version 13
> and minor patch as .20
> i.e 13.20
> Also working on the steps for db migration from ver 13.X to ver 14.X
> We are also update with respective AWS based EC2 server based OS patches
--
Adrian Klaver
adrian.klaver@aklaver.com
