Palo Alto Networks specialists discovered the PgMiner botnet, which specializes in hacking poorly protected PostgreSQL databases in order to install miners.
The botnet operates according to a well-known and well-established scheme by criminals: it randomly selects a range of IP addresses (for example, 18.xxx.xxx.xxx), and then enumerates all parts of this range in search of systems with an open port 5432 (PostgreSQL). If the botnet detects an active PostgreSQL system, it moves from the scanning phase to a brute-force attack, during which it tries a long list of passwords in an attempt to guess the login and password of the default PostgreSQL account (postgres).
If the database owner forgot to disable this account or did not change the password, hackers gain access to the database and then use the COPY from PROGRAM function ( CVE-2019-9193 was associated with it , which many in the PostgreSQL community refused to acknowledge as a bug) to expand your access and get to the server and its OS. Having established control over the infected system, the PgMiner operators deploy a miner on the infected server to mine the Monero cryptocurrency.
According to researchers, the botnet is currently able to install miners only on Linux MIPS, ARM and x64 platforms.
Experts also mention that the PgMiner control server, from where hackers control infected bots, is hosted in Tor, and the botnet’s codebase resembles another similar malware – SystemdMiner .