Dozens of unsecured Elasticsearch and MongoDB instances exposed on the internet have fallen victim to a campaign tracked as Meow attack, in which malicious actors wiping databases without any explanation or a ransomware note.
The attacks were first spotted by security researcher Bob Diachenko. One of the recent Meow attacks has been observed targeting the Elasticsearch database belonging Hong Kong-based VPN provider UFO VPN, which made the headlines recently when researchers from vpnMentor have reported that seven Virtual Private Network services (UFO VPN, FAST VPN, FREE VPN, SUPER VPN, Flash VPN, Secure VPN, and Rabbit VPN) leaked 1.2 terabytes of private user data.
According to Diachenko, UFO VPN secured its database at the beginning of July, but on July 20 the database resurfaced once again at a different IP address and contained records as recent as July 19. On the same day the exposed database was wiped in Meow attack, with only recent records remaining.
Since then, Meow and a similar attack have destroyed more than 1,000 other databases. A recent Shodan search has shown that 987 ElasticSearch and 70 MongoDB instances have been affected by Meow attack.
Diachenko said that there isn’t much known about the attackers or the reasoning behind their actions. The researcher said that the attack appears to be an automated script that “overwrites or destroys the data completely.”