The Elasticsearch and MongoDB unsecured databases have been targeted at hacking attacks that wipe out all data. There are no ransom demands.
These are called meow attacks because they leave a revealing meow signature in the server’s log files.
Close-up of a screenshot of a server log file that was attacked by Meow
Security researcher Bob Diachenko (@MayhemDayOne) linked to a tweet by Anthr @ X (@ anthrax0) said to represent a screenshot of a log file showing details of a meow attack.
Close up of a screenshot of a log file from an attacked server that was posted on Twitter.Meow Hacking Attacks
The attacks target insecure Elasticsearch and MongoDB installations.
That can mean installations that are not protected by a firewall and are exposed to the public.
That could also be facilities that don’t have SSL encrypted communications.
The Elasticsearch hacking attack was observed by security investigation Bob Chiachenko on July 20, 2020. He noted that there were no ransom requests or warnings.
Ad
Continue reading below
It was an attack designed solely to remove all data.
The new Elasticsearch bot attack contains no ransom or threat, just “meow” with a random set of numbers. It is quite fast and searches and destroys new groups quite effectively pic.twitter.com/F8Ke3CI64i
– Bob Diachenko (@MayhemDayOne) July 20, 2020
The latest victim of a high-level attack is an African online payment service.
Another victim of the Meow attack, Zimbabwe’s leading online payment platform. pic.twitter.com/JOQ9kDIJW5
– Bob Diachenko (@MayhemDayOne) July 27, 2020
Automated hacking attacks
In general, hacking attacks are automated. A bot script attacks a site by looking for known vulnerabilities, such as unsafe ports and vulnerable files. The process is similar to that of a thief walking down a street checking door handles for unlocked vehicles.
The meow attack is also an automated attack.
What is being attacked?
At this time, it is the unsafe Elasticsearch and MongoDB databases that are under attack.
Elasticsearch is the most attacked, followed by MongoDB.
Ad
Continue reading below
As of July 24, 2020, there were 1,779 Elasticsearch attacks and 701 MongoDB.
There are 1,779 Elasticsearch ‘meow’ clusters and 701 MongoDB instances https://t.co/QOG6oAfksy
– Bob Diachenko (@MayhemDayOne) July 24, 2020
Elasticsearch is an open source search and analysis service used by companies like Uber, Shopify and Udemy.
MongoDB declares on its website that it is used by companies such as eBay, Adobe, SquareSpace, Verizon and the UK government.
Attacks allegedly hidden by a VPN
Someone on Twitter posted screenshots of the log file of an attack on the Mongo database that showed that the attacks on that server were going through a VPN IP address to hide the true origin of the attack.
The #meow attack goes through @protonvpn, I’m not sure how many source IPs there are. From the records in MongoDB, you can see that it first deletes the databases and then creates new ones with $ randomstring-meow @MayhemDayOne @BleepinComputer #infosec pic.twitter.com/49dnVOGyq7
– Anthr @ X (@ anthrax0) July 24, 2020
ProtonVPN is a virtual private network (VPN). A VPN is a service that masks a user’s true IP address for security reasons. In some countries, they are used to mask their Internet activities from curious governments.
ProtonVPN responded via Twitter by agreeing to review activity and block malicious users who violate its terms and conditions.
We are investigating this and will block any use of ProtonVPN that goes against our terms and conditions.
– ProtonVPN (@ProtonVPN) July 27, 2020
Recommended Action
There are security plugins for Elasticsearch:
@martinibuster Just reiterating again: Open Distro for Elasticsearch offers a fully licensed and free Apache security package. Use it to protect your friends from Elasticsearch: https://t.co/M09ndWDQ3G https://t.co/ vFR7KdWWB9
– Carl Meadows (@Carl_F_Meadows) July 27, 2020
It may be prudent for publishers running Elasticsearch or MongoDB to consider reviewing their facilities to ensure that they are secure and not exposed to the public Internet.
Citation
The new attack ‘Meow’ has eliminated almost 4,000 databases without guarantee
