Security researchers at Palo Alto Network‘s Unit 42 announced that they have discovered a new botnet, PGMiner that targets PostgreSQL databases running on Linux to install a cryptocurrency miner. The botnet exploits a disputed PostgreSQL remote code execution vulnerability that compromises database servers for cryptojacking. PGMiner attempts to connect to a for Monero mining but the mining pool is not active anymore.
Cryptojacking
PostgreSQL, which ranks fourth among all database management systems, includes a feature named “copy from program” which was introduced in version 9.3 and is under exploitation. It is named as a vulnerability and tracked as CVE-2019-9193. It is challenged by the PostgreSQL community and the CVE is now labeled as “disputed”.
The botnet scans random public network ranges and iterates all IP addresses. It looks for a PostgreSQL port exposed online. After the botnet found it, it starts a brute-force attack with a long list of passwords for the default PostgreSQL account, which is “postgres”. Then hackers escalate their access with the “copy from program” feature and deploy a mining application to mine for Monero cryptocurrency.