Security researchers from Palo Alto Networks have discovered a new botnet that targets misconfigured PostgreSQL databases running on Linux servers to install a cryptocurrency miner.
Named PgMiner by the researchers, the bot performs brute-force attacks against PostgreSQL databases, and exploits its disputed remote code execution (RCE) ability to mine the Monero cryptocurrency.
PostgreSQL is one of the most popular open-source relational database management systems (RDBMS). Although it was first released over two decades ago, the database is still ranked as the fourth most popular database by DB-Engines as of December 2020.
Exploits human error
“We believe PGMiner is the first cryptocurrency mining botnet that is delivered via PostgreSQL,” note the Palo Alto Networks Unit42 researchers.
The researchers explain that PGMiner hunts for PostgreSQL installations whose administrators have forgotten to disable the default ‘postgres’ administrator user account. It then brute-forces its way to the account’s password, before exploiting PostgreSQL’s controversial copy from program feature to start mining.
The copy from program feature was introduced in PostgreSQL v9.3 back in 2013 and allows local and remote superusers to run shell scripts directly on the server.
Security researchers dubbed this feature a vulnerability since it could be used to launch attacks from compromised databases. However, the PostgreSQL community disputed calling it a vulnerability since it could only be exploited on misconfigured installations.
PGMiner has proved them both right.
While the Unit42 researchers only found evidence of PGMiner targeting Linux servers, they argue the malware could theoretically be made to attack other platforms since PostgreSQL runs on Windows and macOS as well.
Via: Palo Alto Networks