PGMiner, Innovative Monero-Mining Botnet, Surprises Researchers
#1
Information 
Quote:An innovative Linux-based cryptocurrency mining botnet has been uncovered, which exploits a disputed PostgreSQL remote code-execution (RCE) vulnerability to compromise database servers. The malware is unusual and completely novel in a host of ways, researchers said.
 
According to researchers at Palo Alto Networks’ Unit 42, the miner (dubbed “PGMiner”) exploits CVE-2019-9193 in PostgreSQL, also known as Postgres, which is a popular open-source relational database management system for production environments. They said this could be the first-ever cryptominer that targets the platform.
 
“The feature in PostgreSQL under exploitation is ‘copy from program,’ which was introduced in version 9.3 on Sept. 9, 2013,” according to Unit 42 researchers, in a Thursday post. “In 2018, CVE-2019-9193 was linked to this feature, naming it as a vulnerability. However, the PostgreSQL community challenged this assignment, and the CVE has been labeled as ‘disputed.'”
They added, “it is notable that malware actors have started to weaponize not only confirmed CVEs, but also disputed ones.”
 
The feature allows a local or remote superuser to run shell script directly on the server, which is ripe for exploitation by cyberattackers. However, there’s no risk for RCE as long as the superuser privilege is not granted to remote or untrusted users, and the access control and authentication system is properly configured, according to Unit 42. On the other hand, if it’s not properly configured, PostgreSQL can allow RCE on the server’s OS beyond the PostgreSQL software, “if the attacker manages to own the superuser privilege by brute-forcing password or SQL injection,” researchers said. The latter scenario is exactly what PGMiner accomplishes.

The malware sample that Unit 42 analyzed statically links to a client library (“libpq postgresql”), which is used to scan for target database servers to be brute forced.
“The attacker scans port 5432 (0x1538), used by PostgreSQLql,” researchers said. “The malware randomly picks a public network range (e.g., 190.0.0.0, 66.0.0.0) in an attempt to perform RCE on the PostgreSQL server. With the user ‘postgres,’ which is the default user of the database, the attacker performs a brute-force attack iterating over a built-in list of popular passwords such as 112233 and 1q2w3e4r to crack the database authentication.”

Read more: https://threatpost.com/pgminer-monero-mi...et/162209/
[-] The following 2 users say Thank You to silversurfer for this post:
  • harlan4096, sgx
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
Microsoft Edge 150 Adds Google Account S...
Microsoft has adde...harlan4096 — 10:26
Free Download Manager 6.34.2.6926
Changes in 6.34.2....harlan4096 — 09:37
Bitdefender 27.0.60.341
Latest version of ...harlan4096 — 09:34
Microsoft Edge 150.0.4078.48
Version 150.0.4078...harlan4096 — 09:33
F-Secure 26.6
Version 26.6​ R...harlan4096 — 09:31

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (47)dapedDow
avatar (49)TromPerl
avatar (46)RidgeDimb
avatar (37)ipumaqar
avatar (51)tanliorsPeri
avatar (43)lapedDow
avatar (49)rituabew
avatar (37)omyjul
avatar (41)papedDow
avatar (50)ArnoldFum
avatar (38)yfaza
avatar (49)Kevensi
avatar (48)ConradRoand
avatar (39)boineDon
avatar (51)spoofTum
avatar (50)WillieVot
avatar (40)Grompelbawn
avatar (41)vkseogaF
avatar (37)usogy
avatar (40)ywixazok
avatar (38)ixoqe
avatar (56)Step 1
avatar (36)pa.OpenTran

[-]
Online Staff
There are no staff members currently online.

>