A previously unknown group of hackers is hunting unsecured online databases. ElasticSearch, an open source search engine that specializes in storing documents in a No-SQL format, and MongoDB databases are particularly affected. The attackers are apparently not interested in locking database content and thereby extorting money.
Rather, the bot searches cloud infrastructures from Amazon, Google and Microsoft. If he finds an unsecured database, he overwrites all the data stored there with random numbers and leaves a friendly “meow” as a farewell greeting.
Security expert Volodymyr Bob Diachenko discovered the pest. The malware placed a random series of numbers, Diachenko tweeted on July 20:
New Elasticsearch bot attack does not contain any ransom or threats, just ‘meow’ with a random set of numbers. It is quite fast and search & destroy new clusters pretty effectively pic.twitter.com/F8Ke3CI64i
– Bob Diachenko (@MayhemDayOne) July 20, 2020
As various search indexes on the web show, “Meow” has already destroyed several thousand databases. Security experts have observed that the attacks are spreading to other data platforms such as Redis databases, Jenkins servers and Hadoop instances.
This is how an SQL injection attack on your database works
In the affected ElasticSearch clusters, neither free nor paid security functions were activated, “TechTarget” quotes those responsible for ElasticSearch. They did not expect clusters with security features to be compromised. A spokesman for MongoDB told the online magazine: “The affected instances are not instances of MongoDB Enterprise Advanced or MongoDB Atlas, but are freely downloadable and usable community versions.” By default, the MongoDB database is shipped with secure presets today.
MongoDB was criticized a few years ago. In 2015, students from Saarbrücken discovered almost 40,000 freely accessible MongoDB databases online. The reason for this was an incorrect configuration during installation, it was said at the time. Back then, when users stubbornly followed the guidelines given during installation, a lot of data ended up freely on the Internet. Since this GAU, the manufacturer has sharpened its security routines around installation and configuration.
MongoDB – what the NoSQL database can do
For “Meow” that was apparently not enough. Apparently, there are still a number of old database instances or installations in which administrators subsequently made errors when configuring the data storage. For security, all users who use ElasticSearch, MongoDB or other easy-to-use open source databases should check the associated security settings carefully and readjust if necessary. Because otherwise it meows and the data is gone.