Maintaining unprotected Internet facing databases is a major security risk for IT departments. Unfortunately, this issue is becoming more prevalent as organizations transition towards cloud-native infrastructures.
Secureworks recently exposed a cybersecurity campaign demonstrating how hackers can locate and remove unsecured Elasticsearch databases within hours. They leave behind a ransom note demanding payment to restore the data.
What is Meow Attack?
Recent data wiping attacks by Meow bot have demonstrated how malicious actors can delete unsecured Internet facing databases without any ransomware demands. The attack script overwrites database indexes with random numerical strings with “meow” appended to them, wiping out any associated data associated with that database in the process.
These attacks appear to be targeting a broad range of vulnerable Elasticsearch and MongoDB databases that lack authentication or security access controls, according to one security researcher.
Though the exact motivation behind these Meow attacks remains uncertain, it’s believed they are an effort by vigilantes to teach administrators a lesson in security. Conversely, it could just be that these hackers are simply playing a game and have no real intent of stealing or exposing any data stored in these databases.
Over the past few days, Meow has targeted dozens of vulnerable Elasticsearch and MongoDB databases, leaving behind its signature on server log files. This indicates that the bot is scanning for unprotected databases which are easily accessible online.
One of the first victims of this new threat was Hong Kong-based VPN provider UFO VPN. Recently, they had come under scrutiny for a breach that exposed private user data such as plain text passwords and VPN session tokens.
Security researcher Bob Diachenko had reached out to the owner of the affected database and warned of potential attacks. Unfortunately, a Meow attack struck within hours of UFO VPN agreeing to tighten their data protection measures – wiping out its entire database.
Though these attacks are likely to happen in the future, you can take steps to keep your data secure from such hazards. First and foremost, ensure you stay abreast of all patches and update schedules.
Another way to safeguard your data against these threats is by making sure you use an effective backup system. If not, cloud-based solutions such as Amazon Cloud Drive could provide the needed level of protection.
Meow Attack Targets Elasticsearch Databases
Many unprotected Internet facing databases have become the target of an automated hacking attack known as Meow. This bot scours the web for unprotected servers running Elasticsearch, Redis or MongoDB and replaces their indexes with one containing “meow” and a string of random numbers. Once discovered, this bot destroys any data on these servers.
Security researcher Bob Diachenko first identified the attacks, which he believes to be the work of a vigilante trying to teach administrators a lesson in security. According to him, the actor is targeting all unsecured database types that can be reached over the internet – including Cassandra, CouchDB, Hadoop, Jenkins, Redis and network-attached storage devices.
As of July 25, more than 4,000 databases have been affected by the Meow attack, mostly running Elasticsearch clusters but also MongoDB and Cassandra.
Diachenko describes that these attacks are being carried out by an automated, large-scale system which scans the Internet for vulnerable servers and deletes their data. A bot leaves a “meow” signature in server log files, overwriting old values with one that includes both “meow” and random numbers.
These attacks have been highly effective, wiping out over 4000 unprotected databases within hours. Organizations are now taking seriously the security of their database systems – which have become increasingly vital assets for enterprises and their users.
Researchers at Qualys have noted that Elasticsearch and MongoDB databases are the most frequent targets of the Meow bot due to their open source nature, making them easy for hackers to access. Additionally, these systems offer an avenue for them to discover and exploit vulnerabilities across a variety of systems.
Recently, a Meow attack erased data from Hong Kong-based VPN provider UFO VPN’s Elasticsearch database, which made headlines after 1.2 terabytes of private user data was leaked by security researchers. Furthermore, an owner of a recently hacked Twitter account reported their computer had been “meowed” by an attacker who deleted all documents previously cleaned from the site.
Meow Attack Targets MongoDB Databases
MongoDB, a document-oriented database, offers considerable business benefits and is increasingly being chosen by enterprises looking to scale up and adapt. But just like all other databases, proper security is paramount in keeping them free from hackers and data thieves.
Unfortunately, some organizations have failed to take the necessary precautions for protecting their databases. As a result, they have become vulnerable to hacks and malware that threaten both their data and even the viability of their organization.
These vulnerable Internet facing databases can be targeted within hours by hackers for various reasons; one recent attack specifically targeted Elasticsearch and MongoDB installations that had been left unprotected.
These Meow Attacks involve a bot script designed to search for vulnerable installations of Elasticsearch and MongoDB, scanning for vulnerabilities, then overwriting database indexes with random sets of numbers ending in “meow.” These unauthorized updates have caused significant disruption to many affected systems.
One week later, attacks targeting over 1,000 databases–mostly Elasticsearch and MongoDB–were discovered. Bob Diachenko, cyber threat intelligence director at Security Discovery, reports that one such attack erased the database of a Hong Kong-based VPN provider.
Since then, Meow Attack has also destroyed the databases of numerous other companies around the world, including in both America and China. Furthermore, its victim list continues to grow.
With the rise in unprotected databases, organizations must take proactive measures to ensure their databases remain safe from malicious attacks. By auditing, monitoring database activity and controlling access rights, administrators can guarantee their databases remain unhacked.
Additionally, making sure they keep their passwords up to date and rotating them regularly will help prevent hackers from gaining access to their data. And if they are unable to gain entry, using database activity monitoring (DAM) software can reduce the time needed to detect and report such events.
Hopefully, these attacks serve as a reminder to users that database security must remain an ongoing process. By following best practices and ensuring they remain up-to-date, users will be better protected against future Meow Attacks.
Meow Attack Targets Cassandra Databases
Cassandra is one of the most widely-used database engines, used for logging analytics, performance monitoring and security analytics. Users appreciate its speed and capacity to search through vast amounts of data in milliseconds.
Cassandra databases that are left unsecured can be easily penetrated by malicious hackers aiming to obtain sensitive information. This could include personal details like customer IDs, passwords and encryption keys, as well as company info like IP addresses and network connectivity timestamps.
Recently, cybercriminals have been targeting unprotected Internet-facing databases with an automated attack dubbed the “Meow” attack. This type of assault is intended to wipe out databases without leaving behind any evidence as to what or why it occurred.
The Meow Attack is an automated malware attack that targets unprotected Elasticsearch, MongoDB and Cassandra databases with no password or authentication protection. The malicious software wipes out these unsecured databases in a controlled manner by replacing database indexes with random sets of numbers ending in “meow.”
Comparitech researcher Bob Diachenko first noted this type of automated attack at the end of July 2020. It targeted Hong Kong-based VPN provider UFO VPN, which had recently made headlines for another breach that exposed plaintext account passwords and VPN session tokens.
Diachenko quickly moved the database to another secure location, but Meow soon took down again all records in it. This time, all information in the database was lost forever.
The Meow bot appears to be a straightforward script that scans the Internet for databases running with Elasticsearch, MongoDB and Redis software and then destroys them automatically. It remains unknown whether this bot is being utilized by malicious actors or vigilantes alike.
However, attacks appear to be targeting any database that is accessible to the public – including systems running Elasticsearch, MongoDB and Cassandra as well as Redis, Hadoop, Apache ZooKeeper and Jenkins.
Meow attacks are spreading rapidly, wiping out thousands of machines within hours. As of midday Friday, over 4,000 unprotected database instances have been lost to these attacks.
