The head of Comparitech and well-known information security expert Bob Diachenko discovered a strange wave of attacks on unprotected installations of Elasticsearch and MongoDB. He said that the so-called “meowing” attack completely destroyed more than 1000 databases.
It all started with the database of the VPN provider UFO VPN. Recently, this company allowed a massive user data leak, as it kept its logs practically in the public domain. Although the provider tried to move the problematic database to another location, it failed to provide adequate protection.Dyachenko continued to monitor the situation and noticed that at the beginning of this week the provider’s database was destroyed: hackers erased its contents, leaving behind only the word “meow“.
After the exposed data had been secured, it resurfaced a second time on July 20 at a different IP address – all of the records destroyed now by a new “Meow” bot attack”, — wrote Bob Diachenko in his Twitter.
According to the information security specialist, such “meowing” attacks appeared a few days ago. They represents an automated script that completely overwrites or destroys data in unprotected databases.
Currently, according to Shodan, the attackers behind these attacks have wiped out more than 1,000 databases: 1,337 ElasticSearch installations and over 370 MongoDB installations were affected.
In addition, the researchers noticed another attack due to which 616 files of ElasticSearch, MongoDB and Cassandra were marked with the string “university_cybersec_experiment”. Apparently, in this case, the attackers only warn the owners of the unprotected databases about the problem and demonstrate that the files are vulnerable to viewing and deletion.
I think most of the time hackers behind the attacks do it just for fun, because they can and because it’s very simple”, — says Dyachenko, — “All in all, this is another wake-up call for the industry and companies that ignore digital hygiene and end up losing their data and customers’ data overnight.”
Another well-known security expert, head of the GDI foundation, Victor Gevers, told Bleeping Computer that he also noticed this type of attack. He said that hackers attack public MongoDB databases in an effort to inflict as much damage on them as possible. Gevers first detected meowing attacks a few days ago, one of which occurred just a couple of hours after GDI volunteers informed the victim that her database was not properly protected.
Even if the hackers behind these attacks try to give a harsh lesson to the database owners, as Gevers said, it will do no good. The expert says that some data leaks can shed light on very nasty things that need to be made public, and their destruction is not beneficial.
Let me remind you that as a result of the attack on Elasticsearch, millions of personal data of Yves Rocher clients were leaked into the network.
