PGMiner, Innovative Monero-Mining Botnet, Surprises Researchers

[silversurfer]

An innovative Linux-based cryptocurrency mining botnet has been uncovered, which exploits a disputed PostgreSQL remote code-execution (RCE) vulnerability to compromise database servers. The malware is unusual and completely novel in a host of ways, researchers said.
 
According to researchers at Palo Alto Networks’ Unit 42, the miner (dubbed “PGMiner”) exploits CVE-2019-9193 in PostgreSQL, also known as Postgres, which is a popular open-source relational database management system for production environments. They said this could be the first-ever cryptominer that targets the platform.
 
“The feature in PostgreSQL under exploitation is ‘copy from program,’ which was introduced in version 9.3 on Sept. 9, 2013,” according to Unit 42 researchers, in a Thursday post. “In 2018, CVE-2019-9193 was linked to this feature, naming it as a vulnerability. However, the PostgreSQL community challenged this assignment, and the CVE has been labeled as ‘disputed.'”
They added, “it is notable that malware actors have started to weaponize not only confirmed CVEs, but also disputed ones.”
 
The feature allows a local or remote superuser to run shell script directly on the server, which is ripe for exploitation by cyberattackers. However, there’s no risk for RCE as long as the superuser privilege is not granted to remote or untrusted users, and the access control and authentication system is properly configured, according to Unit 42. On the other hand, if it’s not properly configured, PostgreSQL can allow RCE on the server’s OS beyond the PostgreSQL software, “if the attacker manages to own the superuser privilege by brute-forcing password or SQL injection,” researchers said. The latter scenario is exactly what PGMiner accomplishes.

The malware sample that Unit 42 analyzed statically links to a client library (“libpq postgresql”), which is used to scan for target database servers to be brute forced.
“The attacker scans port 5432 (0x1538), used by PostgreSQLql,” researchers said. “The malware randomly picks a public network range (e.g., 190.0.0.0, 66.0.0.0) in an attempt to perform RCE on the PostgreSQL server. With the user ‘postgres,’ which is the default user of the database, the attacker performs a brute-force attack iterating over a built-in list of popular passwords such as 112233 and 1q2w3e4r to crack the database authentication.”

Read more: https://threatpost.com/pgminer-monero-mi...et/162209/