More than 4,000 databases exposed on the network have suffered in recent days an attack that has erased all its contents. Those responsible for it have not claimed the action, nor have they left a ransom note demanding money for the owners of the bases to recover their data; they just left a message: “meow”.
Or rather “meow”, in English, as this is the ‘signature’ that mysterious attackers leave in vandalized databases, accompanied by large numbers of random text strings … as seen in the following screenshot:
These attacks appear to be automated, and to be caused by a script that selects ‘attackable’ servers by searching for certain vulnerabilities (Installations on servers without SSL encryption and / or protection through firewalls, etc.).
What do we know about victims and attackers?
Most of the attacked bases are of type Elasticsearch and MongoDB. They are not exactly ‘toy’ technologies: the first is used by platforms such as Udemy and Shopify, while the second has such prominent users as the British Government, Adobe, eBay and Verizon. Some databases based on other technologies, such as Redis, Cassandra and CouchDB, have also ‘fallen’.
Experts have not detected any specific pattern that unites the victims of these attacks, which suggests that it could be the case of one or more hackers who are choosing to Expedited methods of cybersecurity “teach a lesson” to administrators of the bases.
A user has posted on Twitter screenshots of attacked servers that would show that attackers they are running their ‘meow’ attacks by connecting through Proton VPN, a virtual private network focused on privacy, with the purpose of hiding the origin of the attack.
The #meow attack is going thru @protonvpn, not sure how many origin IPs there are. From the logs in MongoDB you can see it drops databases first then create new ones with $ randomstring-meow @MayhemDayOne @BleepinComputer #infosec pic.twitter.com/49dnVOGyq7
– Anthr @ X (@ anthrax0) July 24, 2020
Those responsible for Proton also used Twitter to announce your intention to review your network activity and try to block users responsible.
Track | Search Engine Journal
Share A cyber attacker destroys thousands of MongoDB and Elasticsearch databases and leaves only one signature: “meow”