Meow – and your data is gone

Meow – and your data is gone

If you have a database exposed to the Internet, there’s a good chance it will be found. Tools such as Shodan can often find exposed databases. These databases should, of course, be strongly protected by password, but often administrators are slopping with MongoDB and Elasticsearch-type databases.

Now a researcher has found that the data in over 1,700 unsecured databases have been deleted, and replaced by a single word … “meow”. The targeted databases are mainly Elasticsearch, MongoDB, and Redis, and these often have weak security.

Early signs show that the attack seems to be scripted by an automated bot, and which searchers for the signs of an unprotected database, and then logs in and deletes data, leaving only its calling card (“Meow”). The attack may be related to a previous scripted one which did not delete files, but tagged them with “university_cybersec_experiment”.

The first sign of the hacks was identified by Bob Diachenko and who found exposed logs for a VPN provider on an Elasticsearch database, and which were mostly erased, but where “Meow” was left on the tagging of a few files:

The motivations for the attacks are unclear, but it may be a vigilanty group who are focusing on administrators who implement poor security for their data.