To date, more than 1,000 unsecured databases have been permanently deleted in a sustained attack in which the word "meow" is the only calling card, according to internet research, on the previous day.
The researcher Bob Diachenko first became aware of the attack on Tuesday when he discovered a database in which user data of the UFO-VPN was stored. UFO VPN was already in the news that day because the globally readable database contained a wealth of confidential user information, including:
- Account passwords in plain text
- VPN session secrets and tokens
- IP addresses of both user devices and the VPN server to which they are connected
- Connection timestamp
- Geo tags
- Device and operating system properties
- Obvious domains from which advertising is inserted into the web browser of free users
The database was not only a serious breach of privacy, but also contradicted the Hong Kong-based UFO's promise not to keep logs. The VPN provider then moved the database to another location, but did not properly back it up again. Shortly afterwards, the meow attack wiped it out.
Representatives from UFO did not immediately respond to an email asking for a comment.
Since then, Meow and a similar attack have destroyed more than 1,000 other databases. At the time of this posting, the Shodan computer search page showed that 987 ElasticSearch and 70 MongoDB instances of Meow had been destroyed. A separate, less malicious attack marked an additional 616 ElasticSearch, MongoDB, and Cassandra files with the string "university_cybersec_experiment". That in this case attackers appear to demonstrate to the maintainer that the files are vulnerable to viewing or deleting.
Just for fun
It's not the first time that attackers are targeting unsecured databases, which is becoming increasingly common with the increasing use of cloud computing services from Amazon, Microsoft and other providers. In some cases, the motivation is to make money from ransomware thugs. In other cases – including the current meow attacks – the data is simply deleted without any ransomware notice or other explanation. The only thing that remains in the word "meow" in the current attacks.
A database affected by the meow attack.
"I think that in most [the latter] cases, malicious actors behind the attacks only do it for fun because they can and because it's really easy," said Diachenko. "It is another wake-up call for the industry and companies that ignore cyber-hygiene and lose their customers' data and data in no time."
As head of research at the security company Comparitech, Diachenko regularly searches the Internet for databases in which information is disclosed because it is not password-protected. The attackers appear to be doing similar searches. Once they identify databases that can be modified without credentials, the attackers run scripts that wipe the data. He said the meow attacks had been going on for a few days and showed no signs of waning. He expected the number of affected databases to double the next day.
People who manage cloud-based databases should ensure that they are protected in accordance with the provider's guidelines.