Cryptoforex – PgMiner botnet assaults weakly secured PostgreSQL databases
Safety researchers have found this week a botnet operation that targets PostgreSQL databases to put in a cryptocurrency miner.
Codenamed by researchers as PgMiner, the botnet is simply the newest in a protracted checklist of current cybercrime operations that focus on web-tech for financial earnings.
In line with researchers at Palo Alto Networks’ Unit 42, the botnet operates by performing brute-force assaults towards internet-accessible PostgreSQL databases.
The assaults observe a easy sample.
The botnet randomly picks a public community vary (e.g., 18.xxx.xxx.xxx) after which iterates via all IP addresses a part of that vary, trying to find methods which have the PostgreSQL port (port 5432) uncovered on-line.
If PgMiner finds an energetic PostgreSQL system, the botnet strikes from the scanning part to its brute-force part, the place it shuffles via a protracted checklist of passwords in an try to guess the credentials for “postgres,” the default PostgreSQL account.
If PostgreSQL database homeowners have forgotten to disable this person or have forgotten to alter its passwords, the hackers entry the database and use the PostgreSQL COPY from PROGRAM function to escalate their entry from the database app to the underlying server and take over the whole OS.
As soon as they’ve a extra stable maintain on the contaminated system, the PgMiner crew deploys a coin-mining utility and try to mine as a lot Monero cryptocurrency earlier than they get detected.
In line with Unit 42, on the time of their report, the botnet solely had the power to deploy miners on Linux MIPS, ARM, and x64 platforms.
Different notable options of the PgMiner botnet embody the truth that its operators have been controlling contaminated bots by way of a command and management (C2) server hosted on the Tor community and that the botnet’s codebase seems to resemble the SystemdMiner botnet.
PgMiner marks the second time a coin-miner operation targets PostgreSQL databases, with comparable assaults seen in 2018, carried out by the StickyDB botnet.
Different database applied sciences which have additionally been focused by crypto-mining botnets up to now embody MySQL, MSSQL, Redis, and OrientDB.