Over 1500 online databases and counting have been wiped by a mystery attacker, for no apparent reason other than they are misconfigured and exposed to the public internet.
Researcher Bob Diachenko was first to notice the campaign after he discovered a misconfigured database belonging to Hong Kong-based VPN provider UFO. After being notified, the company secured the data, only for it to reappear at a different IP address.
This time the attacker pounced, overwriting all data with the words “meow” and a string of random numbers. It appears as if no ransom note was left.
“After the exposed data had been secured, it resurfaced a second time on July 20 at a different IP address – all of the records destroyed now by a new ‘Meow’ bot attack,” tweeted Diachenko earlier this week. “[The] new Elasticsearch bot attack does not contain any ransom or threats, just 'meow' with a random set of numbers. It is quite fast and search&destroy new clusters pretty effectively.”
According to a Shodan search, there was 1269 impacted Elasticsearch servers globally and 276 MongoDB instances hit buy the “meow” bot at the time of writing. It’s unclear whether the attacker has first stolen victims’ data or if this is a purely destructive campaign.
Boris Cipot, senior security engineer at Synopsys, described the attacks as a “game changer” which may actually motivate organizations to follow security best practice.
“We’re seeing organizations rushing to identify and secure exposed databases, which is a much-needed and long overdue step for many firms. It’s alarming that by running a single Shodan search, we’re able to see just how many unsecured devices and services are out there – all of which are potential attack vectors,” he argued.
“There is the possibility that the attacker isn’t abusing the user data prior to its deletion. If that is in fact the case, meow attacks could actually be safeguarding users from more financially-driven malicious attackers. While the user would be impacted either way – having just lost whatever data was being stored on an affected database – at least it wouldn’t be held for ransom or sold on the dark web, for instance.”