More than 1,000 exposed databases on the web have been wiped by unknown threat actors in a series of attacks that delete data and replace it with the word "meow."
The "meow" attacks have affected databases running on a variety of software, including ElasticSearch, MongoDB and others. The motive and reason behind the attacks remains unknown, as no ransoms demands have been disclosed.
Bob Diachenko, cyber threat intelligence director for Security Discovery, observed the first "meow attack" on Tuesday, which erased data from Hong Kong-based VPN provider UFO VPN.
"New ElasticSearch bot attack does not contain any ransom or threats, just 'meow' with a random set of numbers. It is quite fast and search&destroy new clusters pretty effectively," Diachenko wrote on Twitter.
Following his announcement, other threats researchers started spotting large-scale results for "meow" in Shodan, a search engine that tracks connected devices and systems on the public internet. Currently, Shodan results show more than 1,300 ElasticSearch databases have been hit.
7/28 UPDATE: Search results indicate the meow attacks have affected more than 4,600 databases.
One threat researcher known as "Heige" from the Chinese cybersecurity firm KnowSec found similar results using ZoomEye, a Chinese search engine that is similar to Shodan.
[Attack warning] Elasticsearch hacking is happening! It seems to destroy the original index, create and leave an index with the -meow suffix. So far, ZoomEye can search 6,141 Elasticsearch services that have been attacked : https://t.co/tUt7C9f4U4 #ZoomEye dork pic.twitter.com/r6aYBEVlJR— heige (@80vul) July 23, 2020
"[Attack warning] Elasticsearch hacking is happening! It seems to destroy the original index, create and leave an index with the -meow suffix. So far, Zoomeye can search 6,141 Elasticsearch services that have been attacked," he wrote on Twitter under the handle @80vul.
Victor Gevers, a security researcher with the GDI Foundation, an internet policy organization, said he found additional platforms affected by the meow attacks, including more than 50 Redis databases, two Jenkins servers and one Hadoop instance. Gevers has in the past monitored exposed databases and data deletion or ransom attacks, and he believes more meow attacks are to come.
"I think it will not be long before all the other unauthenticated services with write access will be wiped. We have seen this before," he said. "It would be catastrophic if certain data would get lost forever."
SearchSecurity contacted Elastic for comment on the matter, and Steve Kearns, vice president of product management at Elastic, offered the following statement:
"To the best of our knowledge, the Elasticsearch clusters affected by the Meow attacks did not have any of our free or paid security features enabled. At this time, we do not believe that any clusters that had our security features enabled have been impacted. This means that the impact to our paying customers has been exceedingly low. In fact, security is enabled by default in our Elasticsearch Service in Elastic Cloud and it cannot be disabled, so Elastic Cloud customers are not vulnerable to the problems that resulted in the Meow attacks."
MongoDB sent SearchSecurity an email saying that it's not the enterprise or premium versions that are getting exposed, it's the free version.
"To be clear, these instances do not involve MongoDB Enterprise Advanced or MongoDB Atlas instances but users of the free to download and free to use Community version. The default MongoDB database setup today comes with secure defaults out of the box (and has in our official download distributions for well over five years). For server admins looking to secure their MongoDB servers the proper way, the MongoDB Security page is the best place to start for getting the right advice," a MongoDB spokesperson said in an email to SearchSecurity.
The spokesperson also noted that MongoDB Community has more than 110 million downloads worldwide. "Unfortunately, not every installation follows best practices and as a result, some are improperly configured," the spokesperson said. "When MongoDB was first made aware of these issues several years ago, we made product changes to secure the open source community product's default settings. As a result, we've seen the number of open databases reported to significantly decline."
The statement highlighted a recent blog post from Shodan founder John Matherly, which said "overall exposure of public MongoDB instances has drastically decreased" since 2018.
Some of the security changes made by MongoDB in recent versions include adding localhost binding by default, which limits access to the database to only the system on which the database is first installed, and upgrading from SHA-1 to SHA-256 for database authentication systems.
Security news director Rob Wright contributed to this report.