Protecting against stealthy malware like pg_mem requires a layered defense. While signature-based tools can catch known threats, pg_mem is designed to blend in and bypass traditional detection. Aqua combines behavioral analysis with MITRE ATT&CK-based detection to uncover evasion techniques and suspicious activity that would otherwise go unnoticed.
With flexible runtime policies, you can automatically block threats like pg_mem in real time or choose how to respond based on your environment and risk tolerance.
Step-by-Step Guide
1. Access Enforcer Settings
Log in to the Aqua console and navigate to Administration > Enforcers.
2. Edit Enforcer Group
Select the Enforcer group you want to configure and click Edit.
3. Enable Behavioral Detection
In the Advanced Settings tab, locate Behavioral Detection and toggle it to Enable.
For more prevention and remediation strategies, including Aqua’s Advanced Malware Protection (AMP), visit our Support Portal.
The Hidden Threat Lurking in Your PostgreSQL: Weak Passwords and Real-World Breaches
“As a security researcher, I’ve had the opportunity to participate in several incident response events. To my surprise, in quite a few of them, the root cause of initial access was shockingly simple: a weak password on a PostgreSQL database.”
In too many incidents, security teams are left retracing their steps, struggling to pinpoint the initial access point. One common and often overlooked vector is weak database credentials. In many organizations, lead data practitioners can create users and set passwords, many of which are dangerously weak, like “postgres:12345678” or “admin:Password1$“.
Today, between 850,000 and 1.6 million PostgreSQL servers are exposed to the internet. In many cases, attackers don’t even need to guess a password – common usernames like admin, postgres, dev, or development are paired with weak or default credentials, large botnets are constantly brute forcing their way to victims PostgreSQL servers.
Over the past few years, we’ve observed multiple threat actors targeting PostgreSQL servers, including Kinsing, PGMiner, PG_MEM and many more. Their goals vary: some steal data, others install cryptominers, and some even deploy ransomware.
PG_MEM, in particular, stands out. This threat actor goes the extra mile by fully mimicking the behavior of a legitimate PostgreSQL server. They employ sophisticated persistence techniques and maintain a minimal footprint, making detection extremely difficult.
Don’t wait for an attack to reveal the gaps
Contact your Aqua Sales Representative or Customer Success Manager today to learn how you can strengthen your container security and prevent real-world attacks.
For more detailed information about the pg_mem, read our blog
PG_MEM: A Malware Hidden in the Postgres Processes
