Meow bot deletes unsecured ElasticSearch databases

A group of cybersecurity specialists has detected that dozens of databases exposed on the Internet have fallen victim to “Meow”, an automated attack that randomly destroys data. Apparently it all started a few days ago, when the loss of multiple Elasticsearch and Mongo DB deployments was detected; The strangest thing is that the attackers do not give any explanation about this activity, they do not even leave ransom notes, threats or so on. 

The researchers performed an Internet scan using the Shodan search engine, which they discovered the databases affected by this attack. Although experts have tried to contact the administrators of the exposed databases, it is sometimes too late, as the “Meow” attack has already been perpetrated.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es meow.jpg

One of the most recent Meow incidents was detected in an Elasticsearch database owned by a VPN service provider firm; administrators claimed that there were no recent activity logs in the database, although researcher Bob Diachenko, who found that no security measures were enabled, reported the risk of attack.

The database was secured, although a few days later administrators disabled security measures again. Eventually, the database was attacked with Meow and all records stored there were deleted.

In subsequent statements, Diachenko noted that there is not much information available about the attackers and their motivations, although he believes it could be an automated script capable of overwriting or even destroying a database altogether.

Other researchers who have observed Meow attacks believe this could be the work of a kind of vigilante trying to intimidate administrators, or teach them a computer security lesson.

On the other hand, Victor Gevers, president of the non-governmental organization GDI Foundation, has also sighted this attack variant, stating that threat actors are also attacking as many exposed MongoDB databases as possible. Gevers has also reported multiple incidents in the most recent days, notifying administrators.