Hackers targeted the unsecured Elasticsearch and MangoDB databases which erased all data. The damage done was without any demands. These are named as Meow Attacks as they lest a telltale meow type signature.
Security researcher Bob Diachenko was linked in a tweet that was shared by Anthr@X that shows the screenshot of the log file which was attacked.
Meow Hacking Attack
The main target of hackers is the unsecured installation of Elasticsearch and MongoDB which means installation which is not protected by a firewall and is exposed to the public or one without SSL encrypted communications are likely to get attacked. This attack came into the notice of security research Bob Chiachenko on July 20, 2020.
Recommendation – Twitter Updated On Account Hacking Says Private Messages Were Accessed By Hackers
[UFO VPN STORY UPDATE] After the exposed data had been secured, it resurfaced a second time on July 20 at a different IP address – all of the records destroyed now by a new “Meow” bot attack. pic.twitter.com/YbQCSKBOK9
— Bob Diachenko (@MayhemDayOne) July 20, 2020
He also shared the latest victim of this attack in one of his tweets. The victim is an African Online Payment Service.
yet another victim of Meow attack, Zimbabwe's leading online payments platform. pic.twitter.com/JOQ9kDIJW5
— Bob Diachenko (@MayhemDayOne) July 27, 2020
Automatic Hacking Attacks
Usually, a bot script is used for attacking the weak points such as unsecured ports and vulnerable files. For instance, a thief is walking in a street checking the doors of unlocked vehicles. The same is this meow attack.
Currently, it is attacking Elasticsearch the most followed by MongoDB.
There are 1,779 'meow'd' Elasticsearch clusters and 701 MongoDB instances https://t.co/QOG6oAfksy
— Bob Diachenko (@MayhemDayOne) July 24, 2020
The #meow attack is going thru @protonvpn, not sure how many origin IPs there are. From the logs in MongoDB you can see it drops databases first then create new ones with $randomstring-meow @MayhemDayOne @BleepinComputer #infosec pic.twitter.com/49dnVOGyq7
— Anthr@X (@anthrax0) July 24, 2020
The #meow attack is going thru @protonvpn, not sure how many origin IPs there are. From the logs in MongoDB you can see it drops databases first then create new ones with $randomstring-meow @MayhemDayOne @BleepinComputer #infosec pic.twitter.com/49dnVOGyq7
— Anthr@X (@anthrax0) July 24, 2020
Protective Measure to be Taken
Elasticsearch can be protected by security plugins.
@martinibuster Just reiterating again – Open Distro for Elasticsearch provides a full security suite that is Apache Licensed and free to use – please use it to secure your Elasticsearch folks: https://t.co/M09ndWDQ3G https://t.co/vFR7KdWWB9
— Carl Meadows (@Carl_F_Meadows) July 27, 2020
It might be reasonable for distributors running Elasticsearch or MongoDB to consider auditing their establishments to discover they are secure and not presented to the open Internet.