The modern world of hacking and cyber crime is one ruled by profit-seeking criminals and nation-state spies. But at one time, roughly two decades ago, it was the province of lone rogue hackers spreading viruses with no expectation of material gain. Sometimes it was a juvenile prank, some were looking to make a name for themselves, or it might have been some sort of activism. A new type of cyber attack called “Meow” is a throwback to those seemingly more innocent times. It seeks out unsecured databases and simply wipes them out without any preamble or afterword.
The hacker behind this virus does nothing to identify themselves and seems to want nothing from these attacks. It is unclear what the purpose is, but such an attack might actually be preferable to a data breach as at least the data is not being exfiltrated.
What we know about the Meow cyber attack
The new cyber attack appears to be a bot that seeks and destroys unsecured databases that run the Elasticsearch, Redis or MongoDB software. The name comes from it overwriting the word “meow” repeatedly in each database index that it finds. The bot overwrites all of the data, effectively destroying the contents of the database.
The bot appears to only target databases that do not have security access controls enabled. It was discovered by Comparitech head researcher Bob Diachenko, who characterized it as being fast and effective in seeking out new targets that have failed to secure access properly. The first database to be destroyed was that of UFO VPN, which had recently been in the news for an unrelated breach that exposed all sorts of sensitive customer information including plain text passwords and VPN session tokens. The Meow cyber attack wiped the service out after it was moved to yet another unsecured database in the wake of the original breach.
He does not know what the source of the Meow bot attack is, but has theories about the motivation. “I think that … malicious actors behind the attacks do it just for fun, because they can, and because it is really simple to do,” Diachenko told Ars Technica. Diachenko is publicly tracking the attacks on Twitter and has found over 4,000 compromised databases as of this writing, with well over half of those running Elasticsearch. He believes that copycats may have joined in the fray at this point and that attacks may be expanding to other unsecured database types such as those running Cassandra, CouchDB, Hadoop and Jenkins.
Why unsecured databases?
Some expert analysts, such as Cerberus Sentinel’s VP of Solutions Architecture Chris Clements, believe that the targeting of unsecured databases may be more than just a way to have fun with low-hanging fruit: “These types of vigilante attacks with no extortion demands or attribution are increasingly rare and therefore not likely the work of the usual cybercrime gangs whose primary goal is to extort money from their victims. It’s possible that the perpetrator is attempting to stop data disclosure from these unsecured databases, however, doing so in such a broad and indiscriminate fashion deprives potential victims from knowing if their information has been compromised so that they can take actions to prevent identity theft or be on the lookout for targeted spear phishing campaigns created using the compromised data.” Javvad Malik, Security Awareness Advocate for KnowBe4, concurs with the Meow attack “vigilante” theory: “The lack of ransom or demands, or any form of notice given by ‘meow’ suggests this could be the work of a greyhat who has had enough of unsecured databases and taken drastic measures themselves.”
Unsecured databases have been a growing cybersecurity problem for roughly two years now. This form of cyber attack saw an explosion of popularity in 2019, and some of the world’s biggest breaches that year involved Elasticsearch or MongoDB. The biggest of these was the October discovery of a mystery Elasticsearch database containing some four billion records of the personal information of about 1.2 billion people that had no password protection and was readily accessible via any web browser. Similar unprotected database breaches that contained billions of records occurred at smart device manufacturer Orvibo and SMS marketing platform TrueDialog. Similar breaches in 2019 that each contained hundreds of millions of records happened at First American Financial Corp., email validation firm Verifications.io, Capital One, and an Indian government database containing the personal information of citizens among other major incidents.
The difference with most of these breaches is that they are discovered by a security researcher and reported to the responsible parties before being made public. That is the best case scenario for a company, particularly if a forensic follow-up reveals that the researcher came across it before any potential cyber attackers did. While the deletion of a database out of nowhere is no picnic, it might actually be the next of the “least worst” means for a company to become aware of this vulnerability. At the very least, the data is not being stolen by an unknown third party. Organizations may also dodge fines under local data privacy laws if it can be shown that the data was never exposed to threat actors.
While MongoDB and Elasticsearch are hardly the only two possible targets, they are among the simplest for a cyber attacker to find and compromise as Clements observes: “Elasticsearch and MongoDB can be powerful analytic tools, however, are known to have very insecure default settings. Exposing these applications to the internet without understanding the potential risk is the cybercrime equivalent of having your cash register stolen because you left it out on the street.” Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, expanded on this observation: “Sometimes these databases are stored in the cloud because they have to interact with devices spread out amongst customers on the internet and there is no easy way to bring this data behind a corporate firewall without a proper initial design or inclusion of the IT and InfoSec teams. So, people end up with exposed databases in the cloud.”
At the very least, companies should be scrambling to identify any database exposed to the internet and putting passwords on them to avoid the wrath of the “meow bots.”