Meow is an attack that continues to gain momentum and it is that for several days nows have been released various news in which various unknown attacks destroy data in unprotected facilities Elasticsearch and MongoDB public access.
Besides that isolated cases of cleaning were also recorded (approximately 3% of all total victims) for unprotected databases based on Apache Cassandra, CouchDB, Redis, Hadoop, and Apache ZooKeeper.
About Meow
The attack is carried out through a bot that lists the DBMS network ports typical. The study of the attack on a fake honeypot server has shown that the bot connection is made through ProtonVPN.
The cause of the problems is the opening of public access to the database without proper authentication settings.
By mistake or carelessness, the request handler attaches itself not to the internal address 127.0.0.1 (localhost), but to all network interfaces, including the external one. In MongoDB, this behavior is facilitated by the sample configuration which is offered by default, and in Elasticsearch prior to version 6.8, the free version did not support access control.
The history with the VPN provider «UFO» is indicative, which revealed a publicly available 894GB Elasticsearch database.
The provider positioned itself as concerned about user privacy and not keeping records. Contrary to what was said, there were records in the database Pop-ups that included information about IP addresses, the link of the session to time, the user's location tags, information about the user's operating system and device, and lists of domains to insert advertisements into unprotected HTTP traffic.
In addition, the database contained clear text access passwords and session keys, which allowed the intercepted sessions to be decrypted.
The VPN provider «UFO» was informed of the issue on July 1, but the message remained unanswered for two weeks and another request was sent to the hosting provider on July 14, after which the database was protected on July 15.
The company responded to the notification by moving the database to another location, but once again he couldn't secure it properly. Not long after, Meow's attack wiped her out.
Since on July 20, this database reappeared in the public domain on a different IP. In a matter of hours, almost all the data was removed from the database. Analysis of this deletion showed that it was associated with a massive attack called Meow from the name of the indexes left in the database after the deletion.
"Once the exposed data was secured, it reappeared for the second time on July 20 at a different IP address: all records were destroyed by another attack by the 'Meow' robot," Diachenko tweeted earlier this week. .
Victor Gevers, president of the nonprofit foundation GDI, also witnessed the new attack. He claims that the actor is also attacking MongoDB's exposed databases. The investigator noted Thursday that whoever is behind the attack appears to be targeting any database that is not secure and accessible on the Internet.
A search through Shodan service showed that several hundred more servers had also become victims of the removal. Now the number of remote databases is approaching 4000 of which mMore than 97% of these are Elasticsearch and MongoDB databases.
According to LeakIX, a project that indexes open services, Apache ZooKeeper was also targeted. Another less malicious attack also tagged 616 ElasticSearch, MongoDB and Cassandra files with the string "university_cybersec_experiment".
The researchers suggested that in these attacks, the attackers appear to demonstrate to database maintainers that the files are vulnerable to viewing or deletion.