The attackers and their motivations remain unknown; however, the incidents yet again highlight the risks of careless data security
Thousands of unsecured internet-facing databases have been on the receiving end of automated ‘Meow’ attacks that which involve destroying the data without leaving as much as an explanatory note.
A search on Shodan shows that as the Meow attacks have escalated in recent days, with almost 4,000 databases now wiped. While more than 97% of the attacks hit Elasticsearch and MongoDB instances, systems running Cassandra, CouchDB, Redis, Hadoop, Jenkins, and Apache ZooKeeper have been targeted as well, wrote BleepingComputer.
The onslaughts owe their moniker to the fact that the data is overwritten with random characters that include the word ‘meow’. Both the perpetrators and their reasons for the scorched-earth tactics remain unknown.
Meanwhile, a security researcher wrote on Twitter that the attacks have been carried out using ProtonVPN IP addresses.
The #meow attack is going thru @protonvpn, not sure how many origin IPs there are. From the logs in MongoDB you can see it drops databases first then create new ones with $randomstring-meow @MayhemDayOne @BleepinComputer #infosec pic.twitter.com/49dnVOGyq7
— Anthr@X (@anthrax0) July 24, 2020
Proton responded by saying, “We are looking into this and will block all usage of ProtonVPN which goes against our terms and conditions.”
One of the first recorded instances of these Meow attacks targeted an Elasticsearch database belonging to a VPN provider. The unsecured database was discovered by security researcher Bob Diachenko and was one of the 7 VPN services that leaked the data of over 20 million users.
Diachenko went on to notify the hosting provider on July 14th, and the database was secured the next day. However, it was exposed the second time on July 20th and then hit with a Meow bot attack that wiped almost all the data stored on the database.
RELATED READING: Five tips for keeping your database secure
The onslaughts have also been observed by researchers from the non-profit GDI Foundation. One of the attacks occurred after a researcher responsibly disclosed an exposed database to its owner. Victor Gevers, the foundation’s chairman, noted that the perpetrator is probably targeting any unsecured database that can be accessed over the internet.
While some researchers debate whether the attackers are trying to ‘educate’ administrators to keep their databases locked down, the fact of the matter remains that administrators should properly secure their assets.
Attacks on misconfigured databases are not a rare occurrence. A mere few weeks ago, we wrote about thousands of unsecured MongoDB databases that were ransacked and held for ransom. However, wiping ill-secured databases without leaving any (ransom) notes whatsoever could be considered unusual.