Publically accessible not fully protected Elasticsearch and MongoDB databases have been targeted against Meow hacking attacks that removed all records. There is no notification or any Ransom demands. They just leave a meow signature in the server log data. The attacks targeted unsecured Elasticsearch and Mongo databases. This may mean databases that do not firewall secured and open to the public. There may also be devices that do not have SSL communications encrypted. Meow bot attack tends to exist solely to delete those databases which are accessible publically. Instead, it revealed online without any restrictions on security access.
Meow Attacks on Elasticsearch and MongoDB
A simple search by BleepingComputer Shodan on the IoT search engine initially found hundreds of databases affected by that attack. The number of wiped databases recently rose to more than 1,800. Such attacks force the researchers into a race to locate the exposing databases and report them safely before they are meowed.
One of the first instances of a widely publicized Meow attack is a VPN provider’s Elasticsearch databases that appear to have no logs. However, the owner didn’t receive a well-intended email the second time. They were then meowed, deleting almost all records. However, At the time of writing, BleepingComputer saw that ‘meow’ attacks primarily affected Elasticsearch databases (1,395), followed by MongoDB (383), and Redis (54). Elastic and MongoDB are over 97 percent of them.
Meow Bot Attack – An Automated Attack
Security analyst Bob Chiachenko has acknowledged the Elasticsearch hacking attack happened on July 20, 2020. He also noticed that there were no demands for ransom or any alerts. It was an attack schedule specifically for deleting all the records. Normally the hacking attacks are automatic. A bot script targets a site by looking for known vulnerabilities, including unsecured ports and insecure files. The procedure for unlocked cars is similar to a criminal walking down a street testing door handles. The meow attack is an automatic attack on databases, too.
Meow Attacks Clearly Detected by a VPN
Someone posted screenshots of a Mongo database assault to a log file on Twitter. This showed the attacks were going through a VPN IP address on that server to mask the true origin of the attack. ProtonVPN Virtual Private Network ( VPN) replied via Twitter by promising to monitor the behavior and block malicious users who breach its terms and conditions.
Top 7 ways to keep the databases secure
Here are seven best ways to secure databases like MongoDB and Elasticsearch.
- Control Access: Limit network Exposure. Allow Access to only whitelisted IP Addresses which requires access to the database.
- Enable RBAC: Setup Role-Based Access Control for each user/application. The more permissions and rights we limit, the better database is protected. Review users access and rotate their Password/Keys periodically.
- Identify critical and important data: Analyze and determine which information is essential to secure. It is necessary to understand the logic and architecture of the database. This makes it easier to decide where and how sensitive data will be storing.
- Encrypt information (TLS/SSL): If the sensitive and confidential data have been detected, using robust algorithms to encrypt such data is a good practice. Configure TLS/SSL to encryption communication between all database components and connected applications.
- Anonymize non-productive data sources: Anonymization is a method by which a duplicate version will be producing. It means retaining the same structure as the original but changing the confidential data in such a way that it remains secure.
- Audit and Monitor Database activity: Having a full transaction history helps you to understand the trends of data access and alteration. Thus prevent leakage of information, monitor fraudulent changes, and detect suspicious activity in real-time. Database activity monitoring (DAM) Softwares will be used to monitor data actively.
- Keep Database Up To Date: Apply patches and updates to the latest version.
Tracking such leaks as soon as possible is becoming a challenge. Moreover, this decreases the amount of time needed to study and report. Whoever is behind the ‘meow’ attacks would possibly continue to threaten unsecured databases, destroying them violently. Administrators should ensure that they reveal only what needs to be revealed and ensure proper protection of the properties.
In Elasticsearch Service on Elastic Cloud, protection is allowing for our cloud users by default, and can not be disabled. Elastic Cloud customers are also not vulnerable to the problems that occurred in the meow bot attacks. Another free way to prevent such accidents is to set up external scanning systems that track exposed databases on a continuous basis.