Only PostgreSQL databases running on Linux servers are attacked thus far .
Security researchers have discovered in the week a botnet operation that targets PostgreSQL databases to put in a cryptocurrency miner.
Codenamed by researchers as PgMiner, the botnet is simply the newest during a long list of recent cybercrime operations that focus on web-tech for monetary profits.
According to researchers at Palo Alto Networks’ Unit 42, the botnet operates by performing brute-force attacks against internet-accessible PostgreSQL databases.
The attacks follow a simple pattern.
The botnet randomly picks a public network range (e.g., 18.xxx.xxx.xxx) then iterates through all IP addresses a part of that range, checking out systems that have the PostgreSQL port (port 5432) exposed online.
If PgMiner finds an active PostgreSQL system, the botnet moves from the scanning phase to its brute-force phase, where it shuffles through an extended list of passwords in an attempt to guess the credentials for “postgres,” the default PostgreSQL account.
If PostgreSQL database owners have forgotten to disable this user or have forgotten to vary its passwords, the hackers access the database and use the PostgreSQL COPY from PROGRAM feature to escalate their access from the database app to the underlying server and take over the whole OS.
Once they need a more solid hold on the infected system, the PgMiner crew deploys a coin-mining application and attempts to mine the maximum amount of Monero cryptocurrency before they get detected.
According to Unit 42, at the time of their report, the botnet only had the facility to deploy miners on Linux MIPS, ARM, and x64 platforms.
Other notable features of the PgMiner botnet include the actual fact that its operators are controlling infected bots via a command and control (C2) server hosted on the Tor network and that the botnet’s codebase appears to resemble the SystemdMiner botnet.
PgMiner marks the second time a coin-miner operation targets PostgreSQL databases, with similar attacks seen in 2018, administered by the StickyDB botnet.
Other database technologies that have also been targeted by crypto-mining botnets within the past include MySQL, MSSQL, Redis, and OrientDB.
