Nuthawut – stock.adobe.com
A newly discovered Linux-based cryptocurrency mining botnet exploited a disputed remote code execution (RCE) vulnerability in PostgreSQL – first disclosed in 2018 and initially assigned CVE-2019-9193 – in order to compromise database servers and co-opt them into the mining network, researchers at Palo Alto Networks’ Unit 42 team say.
Dubbed PGMiner by the research team of Xiao Zhang, Yang Ji, Jim Fitzgerald, Yue Chen and Claud Xiao, the botnet is thought to be the first cryptomining botnet delivered via PostgreSQL ever to be detected. The team said it was notable that malicious actors had started to weaponise not just confirmed CVEs, but disputed ones.
PostgreSQL, one of the most widely-used open source relational database management systems for production environments, has previously stated that CVE-2019-9193 is “not a security vulnerability” and that it was likely filed in error.
CVE-2019-9193 centres on the copy to/from program function which could allow superusers and users in the “ph_execute_server_program” group to execute arbitrary code in the context of the database’s operating system user – this functionality is enabled by default and could be abused to run arbitrary operating system (OS) commands on Windows, Linux and macOs.
However, according to PostgreSQL, this is not an issue because the functionality is working as intended. By design, it says, there exists no security boundary between a database super user and the OS that the server runs on and as such, by design the PostgreSQL server may not run as an OS superuser.
“We encourage all users of PostgreSQL to follow the best practice that is to never grant superuser access to remote or otherwise untrusted users. This is a standard security operating procedure that is followed in system administration and extends to database administration as well,” the firm said at the time.
“The main argument against defining the feature as a vulnerability is that the feature itself does not impose a risk as long as the superuser privilege is not granted to remote or untrusted users and the access control and authentication system works well,” wrote the Unit 42 research team in a disclosure announcement.
They continued: “On the other side, security researchers worry that this feature indeed makes PostgreSQL a stepping stone for remote exploit and code execution directly on the server’s OS beyond the PostgreSQL software, if the attacker manages to own the superuser privilege by brute-forcing password or SQL injection.
“While this CVE is still being disputed, malware authors apparently have started to use it to stay under the detection radar by making the attack payload fileless.”
In any case, the botnet has been able to exploit the copy from program feature to download and launch coin mining scripts. Note it is not currently detected by VirusTotal because the mining pool to which it attempted to connect is no longer active.
The team said PGMiner had been able to remain unnoticed for some time by exploiting the disputed vulnerability, and if it was further developed it could potentially be highly disruptive as PostgreSQL is so widely used, and with additional effort, it could be used to target all major operating systems. Further details can be found online.
Users of Palo Alto’s next-generation firewall are already protected against PGMiner, while other PostgreSQL users can mitigate the issue by removing the “pg_execute_server_program” privilege from untrusted users. This will make the exploit impossible.
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
Organizations undergo digital initiatives with the customer in mind, but to deliver outstanding CX, CIOs and their teams must …
The antitrust lawsuits allege Facebook impeded competition by buying up rivals to control the market.
Although 5G is still years away from mainstream adoption, some enterprises have started rolling out use cases that can deliver …
The FBI and the Cybersecurity and Infrastructure Security Agency warned that cyber attacks targeting K-12 schools are expected to…
C-suite may not always understand ROI of security efforts, which is why Nabil Hannan suggests that CISOs work more closely with …
An effective security operations center framework combines monitoring and analysis platforms and threat intelligence services to …
Say hello to software-defined home, a ‘branch of one’ package that combines professional-grade Wi-Fi, security, SD-WAN and …
IP addressing and subnetting are important and basic elements of networks. In this article, learn how to calculate a subnet mask …
The Aruba Fabric Composer is best suited for a CX switching fabric within a small and midsize data center. The company also …
Even with structured pricing methods, there’s a lot to consider when making colocation infrastructure purchases. Account for …
It’s critical to business operations and your overall budget to know what a good colocation SLA covers, what it doesn’t and how …
Colocation companies offer a wide range of facilities and services that can help organizations reduce or eliminate the costs …
DataStax has integrated the open source Stargate API 1.0 release into its Astra DBaaS platform, bringing GraphQL to the Apache …
Enterprise data fabric adoption has been on the rise as a way to ensure access and data sharing in a distributed environment. …
The new Varada Data Platform combines data virtualization with the open source Presto SQL query engine to help enable rapid …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
