MongoDB and ElasticSearch Exposures Could Put Major Companies At Risk of “Meow” Attacks

There’s a reason why databases should never be exposed on the public Internet. They are generally repositories of data—oftentimes sensitive data—that are meant to only be accessed by authorized internal users. The fact that anyone with an email address and a credit card can spin up a new database in the cloud with sensitive corporate data only makes exposed databases that much more of a challenge for security and IT leaders to wrap their arms around.

This week, an unknown attacker or attackers have been using a bot to wipe exposed ElasticSearch and MongoDB databases on the Internet in what is now being called the “Meow” attacks. To understand the potential impacts of this series of attacks, Expanse looked at data across a group of 45 Fortune 500 and Global 500 companies. From June 30 to July 15, 25% of these companies had at least one ElasticSearch database server exposed on the public Internet and 10% had one or more MongoDB servers exposed. This suggests that some of the world’s largest, most sophisticated, and most well-resourced organizations could be at risk for the Meow attacks. While Expanse cannot specifically verify that these databases are vulnerable to the Meow attack, the fact that they are exposed online indicates the potential that they could be.

Originally discovered by security researcher Bob Diachenko, the Meow attack involves accessing an ElasticSearch or MongoDB database exposed on the Internet and replacing the database content with the word “meow” and a seemingly random set of numbers. It’s common in attacks focused on databases for attackers to leverage ransomware. They gain access to the database and then block the user’s access to the content until they pay a ransom. In this case, however, the attackers are not demanding ransom but instead just wiping the data. 

Because of the ease of deploying new databases in the cloud, database security has always been notoriously challenging. This also makes exposed databases a prime target for attackers, since it’s easy for attackers to come in and find databases with valuable data packaged up for them with minimal to no security controls in place to protect it. Databases should never be exposed on the public Internet in this way, and are particularly risky during this type of ongoing attack. 

Security leaders should take immediate action to identify any exposed database servers belonging to their organization and remove them from the Internet. Expanse stands ready to help with this by finding all of your exposed Internet assets, including MongoDB and ElasticSearch servers. To learn more, set up a time to talk with one of our experts today.