New Risks With Exposed Elasticsearch and MongoDB - Users ‘Meowed’ Without Any Warning

Knowing the benefits and efficiencies associated with document-oriented databases like MongoDB, companies have been adopting them at an unprecedented pace. But at the same time, missing out on the security aspects has lead several organizations into paying a price as well.


Attackers eying MongoDB and Elasticsearch

Recently, some attackers were seen targeting unsecured MongoDB instances exposed to the internet, and deleting them without any warning.
  • In July 2020, an automated script (a ‘bot’ program named a ‘Meow’) was discovered, which was programmed to target and delete unsecured Elasticsearch and MongoDB databases exposed on the internet.
  • Dozens of databases have been already deleted by the script, without leaving any ransom note or any other kind of warning or explanation.
  • In one specific instance, databases belonging to a VPN Service provider were targeted by the Meow attack. Initially, the databases were secured in July, but they were exposed again within 5 days. During the second attempt, the databases were simply wiped off from its original location.

Other recent threats

MongoDB and Elasticsearch have been on target of several attackers for a long time.
  • In July 2020, UFO VPN, a Hong Kong-based VPN service provider, left an Elasticsearch cluster exposed on the internet with a password, exposing data of more than 20 million users.
  • In the same month, a hacker hijacked around 22,900 MongoDB databases (almost 47% of all MongoDB instances online). The attacker used an automated script that would scan for exposed MongoDB databases, wipe-out the content, and left a ransom note asking for 0.015 bitcoin (~$140) payment.

A word of caution

Administrators using these document-oriented databases should ensure that they expose only the necessary information to the internet and that too with proper security checks like passwords and encryption in place.