New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Meow Attack

A new attack that searches for unsecured databases and deletes the data without explanation has been found by researchers. This attack, dubbed “Meow,” due to the fact that the attacker renames databases, tables and indices by appending “-meow” to the end of the original names, was verified by BleepingComputer with the use of the Shodan search engine. It appears to have affected dozens of databases in the last few days. Many of the exposed databases had been responsibly reported to the database owners earlier by volunteer researchers, but if they were not secured immediately, the databases were destroyed—sometimes mere hours after the owners were contacted. The most recent attack was against a VPN provider that claimed to not keep any logs but had an unsecured Elastisearch database with user activity. Their database was “meowed” with all records of the database wiped. The researcher, Bob Diachenko, told BleepingComputer that there are not many details about the attacker or their intentions–simply that it appears to be an automated script that “overwrites or destroys the data completely.” It is theorized that the attacker could be a vigilante trying to give administrators a lesson on securing databases by destroying unsecured ones. Currently, the attacks appear to be directed at the Elasticsearch and MongoDB platforms.

Analyst Notes

Responsibly disclosing information about unsecured databases is helpful, but wiping databases clearly violates the laws in many countries. If there is a silver lining to this cloud, it appears that unsecured databases are on a downward curve. With that said, anyone who sets up a database server or uses a database provider should verify that their information is not open and available to the public. Misconfiguration is the most common cause for cloud servers being taken over or destroyed by attackers. Organizations should work with the database provider to secure their information and audit their security measures on a regular basis.