Sun. Nov 28th, 2021
Meow! Attacks on elasticsearch and mongodb servers, motive unknown

Security researcher Bob Diachenko and the security research team he leads at the British company Comparitech are currently monitoring active attacks on Elasticsearch and MongoDB databases worldwide. If the unknown attackers succeed in breaking in, they delete the entire database content and replace it with combinations of the text string "meow" with random numbers.

A search for "meow" with the IoT search engine Shodan currently provides more than 1700 affected Elasticsearch and almost 700 MongoDB installations worldwide – and the trend is rising. Germany accounts for more than 130 Elasticsearch search hits.

Motive for attack still unclear

How the "Meow"-attack is carried out in detail, Diachenko does not describe it. Opposite Ars Technica he does suggest that the attackers are looking for databases that can be modified without credentials and then delete them using scripts written for this purpose.

That "Meow" Elasticsearch and MongoDB is not surprising in this context, because especially MongoDB instances, which are accessible from the Internet without password protection, have been a popular attack target for years. Only recently, in the course of ransomware attacks, around 22.900 databases hijacked:

Unlike in the case of such loose money blasts, the motive behind the "Meow"-Bot attacks, however, still completely unclear. Diachenko told Ars Technica that he ames that the masterminds behind Meow and similar attacks are from "from Spab" acted – "because they can do it and because it is really easy to do." Companies that have been negligent with their own and customer data should take this as a wake-up call.

Ars Technica mentions other currently active attacks, albeit smaller in scale, on MongoDB, Elasticsearch and Apache Cassandra. On a total of about 600 servers are the original content with the string "university_cybersec_experiment" overwritten.

UFO VPN leak as a starting point

Diachenko’s accusation of negligence can also be applied to VPN provider "UFO VPN" Apply. The Comparitech team had only recently stumbled upon an Elasticsearch database on the web that contained sensitive data from several million users of UFO VPN and related VPN software.

In fact, this finding was the starting point for the "Meow"-Discovery. Although it initially appeared that the UFO VPN database had been secured, it has since emerged that the VPN provider was again sloppy in securing it. As one of the first targets of the attack, the data obviously fell in the next step "Meow" to the victim.

In this particular case, data erasure could be achieved by "Meow" almost consider a happy fugue for the affected VPN users. They should now – if they haven’t already done so – look for a provider that (hopefully) handles their data more responsibly.

Leave a Reply