PgMiner botnet attacks weakly secured PostgreSQL databases

Security researchers have discovered this week a botnet operation that targets PostgreSQL databases to install a cryptocurrency miner.

Codenamed by researchers as PgMiner, the botnet is just the latest in a long list of recent cybercrime operations that target web-tech for monetary profits.

According to researchers at Palo Alto Networks’ Unit 42, the botnet operates by performing brute-force attacks against internet-accessible PostgreSQL databases.

The attacks follow a simple pattern.

The botnet randomly picks a public network range (e.g., 18.xxx.xxx.xxx) and then iterates through all IP addresses part of that range, searching for systems that have the PostgreSQL port (port 5432) exposed online.

If PgMiner finds an active PostgreSQL system, the botnet moves from the scanning phase to its brute-force phase, where it shuffles through a long list of passwords in an attempt to guess the credentials for “postgres,” the default PostgreSQL account.

If PostgreSQL database owners have forgotten to disable this user or have forgotten to change its passwords, the hackers access the database and use the PostgreSQL COPY from PROGRAM feature to escalate their access from the database app to the underlying server and take over the entire OS.

Once they have a more solid hold on the infected system, the PgMiner crew deploys a coin-mining application and attempt to mine as much Monero cryptocurrency before they get detected.

According to Unit 42, at the time of their report, the botnet only had the ability to deploy miners on Linux MIPS, ARM, and x64 platforms.

Other notable features of the PgMiner botnet include the fact that its operators have been controlling infected bots via a command and control (C2) server hosted on the Tor network and that the botnet’s codebase appears to resemble the SystemdMiner botnet.

pgminer.png

Image: Palo Alto Networks

PgMiner marks the second time a coin-miner operation targets PostgreSQL databases, with similar attacks seen in 2018, carried out by the StickyDB botnet.

Other database technologies that have also been targeted by crypto-mining botnets in the past include MySQL, MSSQL, Redis, and OrientDB.