Weak PostgreSQL Databases Targeted By PgMiner

Home/Targeted Attacks/Weak PostgreSQL Databases Targeted By PgMiner

Weak PostgreSQL Databases Targeted By PgMiner

PgMiner botnet targets PostgreSQL databases to install a cryptocurrency miner.

PgMiner Botnet:

PostgreSQL, also known as Postgres, is one of the most-used open-source relational database management systems (RDBMS) for production environments.

This week, Security researchers from Palo Alto Networks have discovered a new botnet, tracked as PgMiner, targeting PostgreSQL databases to install a cryptocurrency miner.

Follow Us on: Twitter, InstagramFacebook to get latest security news!

Attack Flow:

First, the botnet randomly picks network range (e.g., 18.xxx.xxx.xxx). By iteration in that range, searching for systems that have the PostgreSQL port (port 5432) exposed online.

Secondly, if an active PostgreSQL system is found, the botnet moves from the scanning phase to its brute-force phase.

In a brute-force attempt, run through a long list of passwords to guess the default PostgreSQL account “postgres”.

According to Unit 42, at the time of their report, the botnet only had the ability to deploy miners on Linux MIPS, ARM, and x64 platforms.

Image: Palo Alto Networks

Post Attack:

However, Hackers access the database and use the PostgreSQL COPY from PROGRAM feature to escalate their access from the database app to the underlying server and take over the entire OS.

Meanwhile, once they have a stronghold on the infected system, the PgMiner crew deploys a coin-mining application.

And mine as much Monero cryptocurrency before spotting it out.

On the other hand, operators control infected bots via a command and control (C2) server hosted on the Tor network, and that the botnet’s codebase appears to resemble the SystemdMiner botnet.

Above all, this happens if PostgreSQL database owners forgot to disable this user or have forgotten to change its passwords.

By | 2020-12-13T21:42:08+05:30 December 13th, 2020|Targeted Attacks|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!