Posted on July 25, 2020 at 5:49 AM
A recent report revealed that hackers deleted more than 1,000 unsecured databases, with only the word, “meow” left behind.
Researcher Bob Diachenko initially discovered the attack on Tuesday, when he noticed that the database storing the UFO VPN user details have been destroyed. The UFO VPN was among the list of VPNs discovered to have exposed sensitive user information, including Device and OS characteristics, IP address of both VPN servers and user devices, VPN session secrets and tokens, as well as account passwords in plain text.
UFO in news lately
Apart from violating users’ privacy rights, the database was seriously against the promise of the Hong Kong-based UFO to keep no logs. Even after relocating the database, the VPN could not secure it properly before the MEOW attack deleted it entirely.
An email seeking response on the development has been sent to the representatives of UFO, but they are yet to respond.
Since then other attacks have followed, deleting more than 1,000 databases. At the time of writing, the Shodan computer search revealed that 70 MongoDB and Elasticsearch databases were nuked.
The reasons or motives behind the attacks are not known yet, and there hasn’t been any ransom demand.
The attacker did not demand any ransom
According to Diachenko, there were no ransom demands on the ElasticSearch bot attack.
“New ElasticSearch bot attack does not contain any ransom or threats, just ‘meow’ with a ransom set of numbers, he said.
After his discovery, other threat researchers began spotting large-scale results for “meow” in a Shodan, a search engine that monitors connected systems and devices on the internet. Presently, the results of the search engine show that there are about 1,300 ElasticSearch databases that have been affected.
A similar search engine based in China, ZoomEye, also showed similar results. A threat researcher called “Heige” from KnowSec, a Chinese cybersecurity firm also discovered a similar attack. He warned that there is an ongoing hack on ElasticSearch which seems to delete the original index, create a new one, and leave only a “meow” suffix in the new index.
One threat researcher known as “Heige” from the Chinese cybersecurity firm KnowSec found similar results using ZoomEye, a Chinese search engine that is similar to Shodan.
“So far, ZoomEye is capable of searching 6,100 ElasticSearch services under attack,” he said.
Another security researcher at GDI Foundation, Victor Gevers, pointed out that he discovered additional logs affected by the meow attacks. The logs include one Hadoop instance, two Jenkins servers, and over 50 Redis databases.
He has previously tracked compromised databases or ransom attacks, and from his experience, he thinks there may be more attacks later.
Gevers said there are more unauthenticated services out there and it won’t take much time before they are also compromised. He further warned that the adverse effect of a lost database would be disastrous.
ElasticSearch no adversely affected by the attack
ElasticSearch has been contacted by SearchSecurity by email about the incident. Vice president of product management at Elastic responded by saying the affected or deleted databases don’t contain any of its free or paid features, which makes the attack a bearable one.
He also said it is highly unlikely that any cluster with the security feature have been affected. As a result, the impact on the customers paying for its services is low. Also, since its security services are on default, and can’t be disabled, customers of Elastic Cloud will be not affected by the attack.
Only Free version of MongoDB exposed
MongoDB also reported that the premium or enterprise versions of the platform are not compromised or exposed. Rather, it’s the free version. MongoDB also mentioned that its database setup is configured by default, which means it’s secured against compromise.
A MongoDB spokesperson, who responded to the message, said the platform has over 110 million downloads throughout the world. When the issues were made known to MongoDB several years ago, the company made some adjustments to secure the open-source platform by default settings. The platform has added more security to protect users from further attacks.