New Risks With Exposed Elasticsearch and MongoDB - Users ‘Meowed’ Without Any Warning

Knowing the benefits and efficiencies associated with document-oriented databases like MongoDB, companies have been adopting them at an unprecedented pace. But at the same time, missing out on the security aspects has lead several organizations into paying a price as well.


Attackers eying MongoDB and Elasticsearch

Recently, some attackers were seen targeting unsecured MongoDB instances exposed to the internet, and deleting them without any warning.
  • In July 2020, an automated script (a ‘bot’ program named a ‘Meow’) was discovered, which was programmed to target and delete unsecured Elasticsearch and MongoDB databases exposed on the internet.
  • Dozens of databases have been already deleted by the script, without leaving any ransom note or any other kind of warning or explanation.
  • In one specific instance, databases belonging to a VPN Service provider were targeted by the Meow attack. Initially, the databases were secured in July, but they were exposed again within 5 days. During the second attempt, the databases were simply wiped off from its original location.

Other recent threats

MongoDB and Elasticsearch have been on target of several attackers for a long time.
  • In July 2020, UFO VPN, a Hong Kong-based VPN service provider, left an Elasticsearch cluster exposed on the internet with a password, exposing data of more than 20 million users.
  • In the same month, a hacker hijacked around 22,900 MongoDB databases (almost 47% of all MongoDB instances online). The attacker used an automated script that would scan for exposed MongoDB databases, wipe-out the content, and left a ransom note asking for 0.015 bitcoin (~$140) payment.

A word of caution

Administrators using these document-oriented databases should ensure that they expose only the necessary information to the internet and that too with proper security checks like passwords and encryption in place.
Cyware Publisher

Publisher

Cyware