Its security researchers Palo Alto Networks have discovered a new botnet called "PgMiner", which targets PostgreSQL databases running on Linux servers, to install a cryptocurrency mining program. PostgreSQL, also known as "Postgres", is one of the most common open source relational management (RDBMS) systems for production environments. It is ranked fourth among all database management systems (DBMS) since November 2020.
Researchers at Palo Alto Networks say that the feature in PostgreSQL that is being exploited is "copy from program", which was released on version 9.3 on September 9, 2013. In 2018, CVE-2019-9193 connected to this feature, naming it as «vulnerability». However, the PostgreSQL community has challenged this assignment and the CVE has been described as "disputed". Researchers believe that PGMiner is the first cryptocurrency mining botnet to be delivered via PostgreSQL.
The attack starts with randomly selecting a network width (eg 184.108.40.206, 220.127.116.11) in an attempt to breach PostgreSQL servers that have port 5432 exposed on the Internet.
PGminer botnet targets Postgress with default user "postgres", and executes a brute-force attack which is repeated through a built-in list of popular passwords such as “112233” and “1q2w3e4r” to bypass authentication. Once the botnet has access to , uses the PostgreSQL function “COPY from PROGRAM” to download and launch coin mining scripts directly from the underlying server. In addition, the PgMiner botnet develops a cryptocurrency Monero miner, currently targeting Linux MIPS, ARM and x64 platforms.
Botnet operators use a command and control (C2) server hosted on the Tor network, which experts say has the same code as the SystemdMiner botnet. Researchers at Palo Alto Networks also warn that malware could target all major functionalities systems. They also observed new techniques, such as integrating victim identity into the request, obtaining binary code through multiple approaches, and forging a trusted procedure name.
PostgreSQL is available for all major platforms, including MacOS, of Windows and Linux. Theoretically, the hackers could implement another version of PGMiner targeting a new platform, such as Windows, and "deliver" it using PostgreSQL.
It is worth noting that similar attacks have taken place in 2018 by the StickyDB botnet. Other database technologies that have also been targeted by cryptocurrency mining botnets are MySQL, MSSQL, Redis and OrientDB.