Companies that fail to secure their Elasticsearch and MongoDB instances are being targeted by an attacker who destroys the data, overwriting the databases with a string of random numbers and the word ‘meow’. The attacks appear to be automated, no note is left, no ransom demand is issued, and there is no explanation as to why the attack has occurred. The attacks are ongoing and, so far, at least 1,269 Elasticsearch servers and 276 MongoDB instances have experienced a Meow attack and the number is growing fast.
The Meow attacks were discovered by researcher Bob Diachenko. He found a misconfigured database that belonged to UFO, a Hong Kong VPN provider. He notified the company about the exposed database and it was secured, but it appeared at a different IP address a few days later and was similarly left exposed. The database was then found by the Meow bot and the data was overwritten. Several other researchers have reported cases of databases being Meowed over the past few days, and there is no sign of the attacks stopping.
It is not clear if the databases are stolen before data is overwritten, but there does not appear to have been any ransom demands issued or offers to return the data to the companies concerned. It is possible that the Meow bot has been created to punish companies that fail to secure data or, perhaps, to ensure that data does not fall into the hands of cybercriminals. Automated scans are conducted by cybercriminals to identify exposed Elasticsearch and MongoDB instances, and data is stolen and monetized or demands are made for money to return the stolen data.
Regardless of the motivation behind the attacks, they send a strong message to organizations to check their online databases and make sure they are configured correctly, otherwise the data may be permanently lost. There is now a rush to identify and secure exposed databases before it is too late.