PgMiner botnet attacks weakly secured PostgreSQL databases


Safety researchers have came upon this week a botnet operation that goals PostgreSQL databases to put in a cryptocurrency miner.

Codenamed via researchers as PgMiner, the botnet is simply the most recent in an extended checklist of new cybercrime operations that focus on web-tech for financial earnings.

In step with researchers at Palo Alto Networks’ Unit 42, the botnet operates via appearing brute-force assaults in opposition to internet-accessible PostgreSQL databases.

The assaults observe a easy development.

The botnet randomly choices a public community vary (e.g., after which iterates via all IP addresses a part of that vary, on the lookout for techniques that experience the PostgreSQL port (port 5432) uncovered on-line.

If PgMiner reveals an lively PostgreSQL device, the botnet strikes from the scanning segment to its brute-force segment, the place it shuffles via an extended checklist of passwords in an try to bet the credentials for “postgres,” the default PostgreSQL account.

If PostgreSQL database house owners have forgotten to disable this person or have forgotten to switch its passwords, the hackers get right of entry to the database and use the PostgreSQL COPY from PROGRAM characteristic to escalate their get right of entry to from the database app to the underlying server and take over all the OS.

As soon as they’ve a extra forged grasp at the inflamed device, the PgMiner group deploys a coin-mining utility and try to mine as a lot Monero cryptocurrency sooner than they get detected.

In step with Unit 42, on the time in their file, the botnet simplest had the power to deploy miners on Linux MIPS, ARM, and x64 platforms.

Different notable options of the PgMiner botnet come with the truth that its operators were controlling inflamed bots by way of a command and keep an eye on (C2) server hosted at the Tor community and that the botnet’s codebase seems to resemble the SystemdMiner botnet.


Symbol: Palo Alto Networks

PgMiner marks the second one time a coin-miner operation goals PostgreSQL databases, with equivalent assaults observed in 2018, performed via the StickyDB botnet.

Different database applied sciences that experience additionally been centered via crypto-mining botnets previously come with MySQL, MSSQL, Redis, and OrientDB.

Leave a Reply

Your email address will not be published. Required fields are marked *