Security News > 2020 > December > 'PGMiner' Crypto-Mining Botnet Abuses PostgreSQL for Distribution
Palo Alto Networks security researchers have discovered a Linux-based cryptocurrency-mining botnet that being delivered via PostgreSQL. Dubbed PGMiner, the botnet exploits a remote code execution vulnerability in PostgreSQL to compromise database servers and then abuse them for mining for the Monero cryptocurrency.
An open source relational database management system widely used in production environments, PostgreSQL has a "Copy from program" feature that was labeled as a vulnerability, something that the PostgreSQL security team quickly disputed.
Introduced in PostgreSQL 9.3 in 2013, the feature allows a superuser to run shell scripts on the server.
The argument is that superuser privileges are required to use the feature and that it won't be a risk if the access control and authentication system works as expected, but researchers fear that it opens PostgreSQL to remote exploitation and code execution directly on the server.
"PGMiner can potentially be disruptive, as PostgreSQL is widely adopted in PDMS. With additional effort, the malware could target all major operating systems. For example, PostgreSQL is available for all major platforms, including macOS, Windows and Linux. Theoretically, the malware actors could implement another version of PGMiner by targeting a new platform, such as Windows, and deliver it using PostgreSQL," Palo Alto Networks concludes.
News URL
Related news
- New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining (source)
- New Malware PG_MEM Targets PostgreSQL Databases for Crypto Mining (source)
- Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns (source)
- Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking (source)