So far, more than 1,000 unsafe databases have been permanently removed in an ongoing attack that leaves the word “meow” as its only business card, based on Internet searches during the last day.
The attack first caught the attention of investigator Bob Diachenko on Tuesday, when he discovered that a database that stored the details of the UFO VPN user had been destroyed. UFO VPN had already been in the news that day because the worldwide readable database exposed a large amount of confidential user information, including:
- Plain text account passwords
- VPN session tokens and secrets
- IP addresses of both user devices and the VPN servers they connected to
- Connection timestamps
- Geotags
- Device and operating system features
- Apparent domains from which ads are injected into free users’ web browsers
In addition to constituting a serious privacy violation, the database disagreed with the Hong Kong-based UFO’s promise not to keep records. The VPN provider responded by moving the database to a different location, but once again was unable to properly secure it. Soon after, the Meow attack annihilated him.
UFO representatives did not immediately respond to an email seeking comment.
Since then, Meow and a similar attack have destroyed more than 1,000 other databases. At the time this post was published, Shodan’s computer search site showed that 987 ElasticSearch and 70 MongoDB instances had been destroyed by Meow. A separate, less malicious attack tagged an additional 616 ElasticSearch, MongoDB, and Cassandra files with the string “university_cybersec_experiment”. That the attackers in this case appear to be demonstrating to the database maintainers that the files are vulnerable to being viewed or deleted.
Just for fun
It is not the first time that attackers are targeting insecure databases, which have become increasingly common with the increasing use of cloud computing services from Amazon, Microsoft, and other providers. In some cases, the motivation is to make money through ransomware rackets. In other cases, including current Meow attacks, the data is simply removed without any ransomware notice or other explanation. The only thing left behind in the current attacks on the word “meow.”
A database affected by the Meow attack.
“I think in most [of the latter] Cases, the malicious actors behind the attacks do it just for fun, because they can do it and because it’s really simple to do, “Diachenko told me.” So it’s another wake-up call for the industry and companies that ignore the cyber hygiene and they lose their data and those of their customers in the blink of an eye. “
As the head of research for security firm Comparitech, Diachenko regularly scans the Internet for databases that expose information as a result of not being protected by a password. Attackers appear to be running similar searches, and once they identify databases that can be modified without credentials, attackers run scripts that delete the data. He said Meow’s attacks have been underway for a few days and showed no signs of giving way. He said he expected the number of affected databases to double the following day.
People who maintain cloud-based databases must ensure that they are protected in accordance with the provider’s guidelines.
