'Meow' attacks continue, thousands of databases deleted

More than one week after the first reported "meow" attack, the number of affected databases has surged dramatically.

Unknown threat actors last week launched a series of mysterious attacks on insecure databases, wiping data and replacing it with the word "meow." Bob Diachenko, cyber threat intelligence director for Security Discovery, observed the first attack, which erased data from Hong Kong-based VPN provider UFO VPN. Last Thursday, security researchers estimated more than 1,000 databases, predominately on ElasticSearch and MongoDB, had been wiped.

According to Shodan's search results for meow indices in ElasticSearch, there are 5,983 hacked databases as of Thursday. The Shadowserver Foundation, a nonprofit infosec organization, has been scanning the IPv4 internet daily for open MongoDB instances since 2015. On Wednesday the foundation shared the daily results on Twitter in response to the new attacks.

"Our daily MongoDB scans currently show around 8,500 MongoDB instances affected by the 'Meow' attack (out of around 22K instances out there on port 27017/TCP with no authentication enabled)," Shadowserver wrote on Twitter.

The foundation said it doesn't specifically scan for the "meow" attacks, but when they list databases, they can see changes made by the attackers. 

"Changes include creating random databases with a -meow appended to the end of a random character database name," a Shadowserver spokesperson said in an email to SearchSecurity. "The number of MongoDB instances (unique IPs) that we currently see returning database names with -meow appended is currently 8000+. The meow attack is directed at other database systems too, including Elasticsearch. We also scan for some of those - like Elasticsearch, but in this case we do not list the database (as it's not necessary to determine whether an instance is open or not), so we do not have information on how many Elasticsearch instances are affected."

In addition to ElasticSearch and MongoDB databases, other platforms have been affected by the attacks. Security researchers have reported smaller numbers of attacks on Hadoop, Redis, Cassandra and Jenkins instances.

Elastic and MongoDB told SearchSecurity last week they did not believe any of the deleted databases on their respective platforms had any security controls such as password protection. A MongoDB spokesperson said the "meow" attacks only affected the free Community version of its database software, not the MongoDB Enterprise Advanced or MongoDB Atlas products, and those databases were misconfigured.

On July 27, ElasticSearch addressed the issue on Twitter and urged users to apply the proper security settings to prevent the attacks.

"The recent 'meow bot' attacks search for open databases and overwrite data with the word 'meow' and a string of random numbers. Learn how to protect your #ElasticSearch deployments from this and other #cybersecurity #databases for free," ElasticSearch wrote in the tweet.

In general, exposed databases are prevalent on the web, according to new research from password manager vendor NordPass. The company partnered with an ethical hacker who scanned ElasticSearch and MongoDB libraries for one full year, looking for unprotected databases exposed on the public internet. "Researchers have identified a total of 9,517 unsecured databases containing 10,463,315,645 entries with such data as emails, passwords and phone numbers. The databases were found across 20 different countries," NordPass wrote in the research paper.

China was first on the list of most exposed databases, and the United States was second. Chad Hammond, security expert at NordPass, said the "meow" attacks show how crucial proper database security is.

"Once again, we'd like to reinforce that proper protection should include data encryption at rest, wire [in motion] data encryption, identity management and vulnerability management," Hammond said. "While these kinds of attacks are actually very frequent, usually the attackers ask for ransom. This 'meow' attack seems different because they are not asking for money, but simply deleting the data."