Security researchers have discovered this week a botnet operation that targets PostgreSQL databases to install a cryptocurrency miner.
Codenamed by researchers as PgMiner, the botnet is just the latest in a long list of recent cybercrime operations that target web-tech for monetary profits.
According to researchers at Palo Alto Networks’ Unit 42, the botnet operates by performing brute-force attacks against internet-accessible PostgreSQL databases.
The attacks follow a simple pattern.
The botnet randomly picks a public network range (e.g., 18.xxx.xxx.xxx) and then iterates through all IP addresses part of that range, searching for systems that have the PostgreSQL port (port 5432) exposed online.
If PgMiner finds an active PostgreSQL system, the botnet moves from the scanning phase to its brute-force phase, where it shuffles through a long list of passwords in an attempt to guess the credentials for “postgres,” the default PostgreSQL account.