Hundreds of unsecured databases that are exposed on the public web are the subject of an automated ‘meow’ attack that destroys data without explaining.

In an ongoing attack that leaves the word “meow” as its only calling card, more than 1,000 unsecured databases have been permanently removed so far, according to Internet searches over the last few days.

What is Meow attack?

Researchers have discovered a new assault that searches for unsecured databases and deletes the data without warning. This attack, dubbed “Meow” because the attacker renames databases, tables, and indices by adding “meow” to the end of the original name. It seems in the past few days it has hit roughly over hundreds of databases. Some of the exposed databases had been disclosed safely by volunteer researchers to the database owners earlier, but if they weren’t secured immediately, the databases were destroyed — sometimes only hours after contacting the owners.

The most recent attack was against a VPN provider who claimed not to keep any logs but had the Elasticsearch database enabled by an unsecured user. Their computer was “meowed”, and all of the documents cleaned were out from the site. A researcher said there are not many details about the attacker or his motives – simply that it appears to be an automated script that “overwrites or completely destroys the data”. It is theorized that the intruder might be a vigilante attempting to teach administrators a lesson on securing databases by destroying unsecured ones. Actually, the attacks appear to have hit the Elasticsearch and MongoDB systems.

What really is the bot Meow?

Meow bot seems to exist purely to destroy those databases that leave themselves open and exposed online without any controls on security access. So-called because the automated attack script overwrites indexes of databases with appended “meow” numerical random strings.

Databases being “meowed” is a new threat that researchers have only spotted in recent days. However, we can see that hundreds of databases have already fallen prey to the unknown intruder by using a properly designed query with the Shodan Internet-of-Things (IoT) search engine, which is much loved by security researchers.

What is behind the Meow attack?

While the motive behind the Meow attacks is not yet clear, nor where the attacks come from, it has been reported that this may be a vigilante’s work trying to give administrators a hard lesson in security.

A security consciousness members concluded that the absence of any Ransomware note or demand suggests that this could be the work of a grey-hat who has had enough unsecured databases and took drastic steps themselves.

There is little doubt that unsecured databases were a significant problem, exposing customer data to anyone looking, with simple misconfiguration errors at the core of the problem. “Despite efforts by cloud providers to help protect databases”, A security consciousness member said, “organizations repeatedly leave them publicly exposed, either by mistake or by personnel lacking the requisite knowledge”.

Conclusion

It’s not the first time attackers have targeted unsecured databases that have become increasingly popular with growing usage of Amazon, Microsoft, and other providers’ cloud storage services. The motive in some cases is to make money by Ransomware attacks. In other cases — including the latest attacks on Meow — the data is completely wiped out without any ransomware notice or other reason. In the latest attacks, the only thing left behind was the word “meow”.

The spokesperson for MongoDB has issued the following comment to ITProPortal:

“Our MongoDB Community database is a very common product, with over 100M downloads worldwide. Sadly, not all installation follows best practices and as a result, some are configured inappropriately”.

“When MongoDB first became aware of these issues many years ago, we made software changes to protect the default settings of the Open Source Community application. As a result, we saw a substantial decline in the number of Open Databases published”.

“The default setup today for the MongoDB database comes with secure defaults out of the box”.

Speak to one of our experts to understand How to protect your Business from Cyberattacks

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

Hundreds of unsecured databases that are exposed on the public web are the subject of an automated 'meow' attack that destroys data without explaining.