{"id":1606193,"date":"2025-04-01T18:01:02","date_gmt":"2025-04-01T20:01:02","guid":{"rendered":"https:\/\/teknomers.com\/fr\/plus-de-1-500-serveurs-postgresql-compromis-dans-une-campagne-dextraction-de-crypto-monnaie-sans-fidele\/"},"modified":"2025-04-01T18:01:07","modified_gmt":"2025-04-01T20:01:07","slug":"plus-de-1-500-serveurs-postgresql-compromis-dans-une-campagne-dextraction-de-crypto-monnaie-sans-fidele","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/plus-de-1-500-serveurs-postgresql-compromis-dans-une-campagne-dextraction-de-crypto-monnaie-sans-fidele\/","title":{"rendered":"Plus de 1 500 serveurs postgresql compromis dans une campagne d&#8217;extraction de crypto-monnaie sans fid\u00e8le"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">01 avril 2025<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><\/span><span class=\"p-tags\">Cryptojacking \/ S\u00e9curit\u00e9 du cloud<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/04\/Plus-de-1-500-serveurs-postgresql-compromis-dans-une-campagne.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Les instances PostgreSQL expos\u00e9es sont la cible d&#8217;une campagne en cours con\u00e7ue pour obtenir un acc\u00e8s non autoris\u00e9 et d\u00e9ployer des mineurs de crypto-monnaie.<\/p>\n<p>La soci\u00e9t\u00e9 de s\u00e9curit\u00e9 de cloud Wiz a d\u00e9clar\u00e9 que l&#8217;activit\u00e9 est une variante d&#8217;un ensemble d&#8217;intrusion qui a d&#8217;abord \u00e9t\u00e9 signal\u00e9e par Aqua Security en ao\u00fbt 2024 qui impliquait l&#8217;utilisation d&#8217;une souche malveillante surnomm\u00e9e PG_MEM. La campagne a \u00e9t\u00e9 attribu\u00e9e \u00e0 un acteur de menace, Wiz, les pistes Jinx-0126.<\/p>\n<p>&#8220;L&#8217;acteur de menace a depuis \u00e9volu\u00e9, mettant en \u0153uvre des techniques d&#8217;\u00e9vasion de d\u00e9fense telles que le d\u00e9ploiement de binaires avec un hachage unique par cible et l&#8217;ex\u00e9cution de la charge utile de mineur &#8211; susceptible d&#8217;\u00e9chapper \u00e0 la d\u00e9tection par [cloud workload protection platform] Solutions qui reposent uniquement sur la r\u00e9putation du hachage de dos <a rel=\"noopener nofollow\" href=\"https:\/\/www.wiz.io\/blog\/postgresql-cryptomining\" target=\"_blank\">dit<\/a>.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener sponsored\" href=\"https:\/\/thehackernews.uk\/drata-1\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybers\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/04\/Lucid-PhaaS-atteint-169-cibles-dans-88-pays-utilisant-iMessage.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>Wiz a \u00e9galement r\u00e9v\u00e9l\u00e9 que la campagne a probablement r\u00e9clam\u00e9 plus de 1 500 victimes \u00e0 ce jour, ce qui indique que des instances postgresql expos\u00e9es publiquement avec des r\u00e9f\u00e9rences faibles ou pr\u00e9visibles sont suffisamment r\u00e9pandues pour devenir une cible d&#8217;attaque pour les acteurs de menace opportuniste.<\/p>\n<p>L&#8217;aspect le plus distinctif de la campagne est l&#8217;abus de la copie &#8230; de la commande SQL du programme pour ex\u00e9cuter des commandes de shell arbitraires sur l&#8217;h\u00f4te.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/04\/1743537661_998_Plus-de-1-500-serveurs-postgresql-compromis-dans-une-campagne.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/04\/1743537661_998_Plus-de-1-500-serveurs-postgresql-compromis-dans-une-campagne.jpg\" alt=\"\" border=\"0\" data-original-height=\"693\" data-original-width=\"780\"\/><\/a><\/div>\n<p>L&#8217;acc\u00e8s accord\u00e9 par l&#8217;exploitation r\u00e9ussie de services Postgresql faiblement configur\u00e9s est utilis\u00e9 pour effectuer une reconnaissance pr\u00e9liminaire et d\u00e9poser une charge utile en cod\u00e9 de base de base64, qui, en r\u00e9alit\u00e9, est un script shell qui tue les mineurs de crypto-monnaie concurrents et laisse tomber un binaire nomm\u00e9 PG_CORE.<\/p>\n<p>Le serveur est \u00e9galement t\u00e9l\u00e9charg\u00e9 sur le ma\u00eetre de poste de Golang binaire obscurci que <a rel=\"noopener nofollow\" href=\"https:\/\/www.postgresql.org\/docs\/8.1\/app-postmaster.html\" target=\"_blank\">imitation<\/a> Le serveur de base de donn\u00e9es multi-utilisateurs postgresql l\u00e9gitime. Il est con\u00e7u pour mettre en place de la persistance sur l&#8217;h\u00f4te \u00e0 l&#8217;aide d&#8217;un travail cron, cr\u00e9er un nouveau r\u00f4le avec des privil\u00e8ges \u00e9lev\u00e9s et \u00e9crire un autre binaire appel\u00e9 cpu_hu \u00e0 disque.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener sponsored\" href=\"https:\/\/thehackernews.uk\/zscaler-inside-d\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybers\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2025\/04\/1743491377_264_Apple-a-condamne-une-amende-a-150-millions-deuros-par.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>CPU_HU, pour sa part, t\u00e9l\u00e9charge la derni\u00e8re version du <a rel=\"noopener nofollow\" href=\"https:\/\/github.com\/C3Pool\/xmrig-C3\/\" target=\"_blank\">Mineur XMRI<\/a> \u00e0 partir de GitHub et le lance sans fid\u00e8le via une technique sans fid\u00e8le Linux connue appel\u00e9e MEMFD. <\/p>\n<p>&#8220;L&#8217;acteur de menace attribue un travailleur minier unique \u00e0 chaque victime&#8221;, a d\u00e9clar\u00e9 Wiz, ajoutant qu&#8217;il a identifi\u00e9 trois portefeuilles diff\u00e9rents li\u00e9s \u00e0 l&#8217;acteur de menace. &#8220;Chaque portefeuille comptait environ 550 travailleurs. Combin\u00e9, cela sugg\u00e8re que la campagne aurait pu tirer parti de plus de 1 500 machines compromises.&#8221;<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant? Suivez-nous <a rel=\"noopener nofollow\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Gazouillement <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"noopener nofollow\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">Liendin<\/a> Pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2025\/04\/over-1500-postgresql-servers.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80201 avril 2025\ue804Ravie LakshmananCryptojacking \/ S\u00e9curit\u00e9 du cloud Les instances PostgreSQL expos\u00e9es sont la cible d&#8217;une campagne en cours con\u00e7ue pour obtenir un acc\u00e8s non autoris\u00e9 et d\u00e9ployer des mineurs de crypto-monnaie. La soci\u00e9t\u00e9 de s\u00e9curit\u00e9 de cloud Wiz a d\u00e9clar\u00e9 que l&#8217;activit\u00e9 est une variante d&#8217;un ensemble d&#8217;intrusion qui a d&#8217;abord \u00e9t\u00e9 signal\u00e9e par [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1606194,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[274266,274265,2930,4168,20350,1966,79002,274264,4161,274263,6124,429,51145,1474,274267,4160,57626,1181,238617,246491,4172,8541,79016,196,4166,4164],"class_list":["post-1606193","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-de-piratage","tag-actualites-des-pirates","tag-campagne","tag-comment-pirater","tag-compromis","tag-cryptomonnaie","tag-cyber-security-news","tag-cyber-security-news-aujourdhui","tag-cyber-mises-a-jour","tag-cyber-nouvelles","tag-cyberattaques","tag-dans","tag-dextraction","tag-fidele","tag-malware-ransomware","tag-mises-a-jour-de-la-cybersecurite","tag-postgresql","tag-sans","tag-securite-de-linformation","tag-securite-du-reseau","tag-securite-informatique","tag-serveurs","tag-the-hacker-news","tag-une","tag-violation-de-donnees","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1606193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=1606193"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1606193\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/1606194"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=1606193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=1606193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=1606193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}