Lana - stock.adobe.com

'Meow' attacks top 25,000 exposed databases, services

One month after the notorious 'meow' attacks were first detected, the threat to misconfigured databases exposed on the internet shows little sign of slowing down.

The number of databases and services affected by the still-mysterious "meow" attacks has reached more than 25,000.

As of Tuesday, Shodan search results for meow indices show 13,571 hacked databases in Elasticsearch and 7,566 MongoDBs. The remaining results are divided among systems running other database software such as Jenkins, Cassandra and more.

And according to Bob Diachenko, the cyber threat intelligence director for Security Discovery who observed the first "meow" attack last month, the number grows every day. "Meow attacks are still here, and I don't see any sign of them slowing down," Diachenko said in an email to SearchSecurity.

The Shadowserver Foundation, a nonprofit infosec organization, said its scans show the number of affected MongoDB instances has fluctuated in recent days between approximately 5,300 and 7,400 databases. A Shadowserver spokesperson said the organization had previously seen more than 8,000 MongoDB instances wiped by meow attacks but the number has declined, most likely because victims have cleaned up their databases.

The majority of meow attacks have affected Elastic and MongoDB customers, though both vendors said previously that they believe the attacks have only affected misconfigured databases that were accidentally exposed to the public internet with no password protection or access controls.

While the attacks are on the rise, Shadowserver's statistics for open MongoDB instances reveal that there's been no real change in the number of exposures over the last month; the media coverage of the attacks and vendor-issued alerts don't appear to have spurred organizations to review their security configurations and lock down their databases.

It's unclear what types of organizations have been affected by the meow attacks, or what the threat actors' goal is. "We do not have additional insight into the motive," the Shadowserver spokesperson said via email. "The majority of databases are hosted at various cloud providers (China, US), [but] we have not looked into who they actually belong to."

Diachenko earlier this month revealed that Adit, a software vendor that specializes in medical and dental patient management, had suffered an attack that wiped out an ElasticSearch database with personal information for more than 3 million patients.

"[NEW REPORT] 3.1 million patients' details exposed by a medical software company, ES cluster was 'meow-ed' and all data destroyed," he wrote on Twitter.

Diachenko discovered the unsecured database on July 13. "The database includes patient names, email addresses, phone numbers, and the practices where patients receive treatment. It was exposed on the web without a password or any other authentication required to access it," Diachenko wrote in the report. "The data was exposed for at least 10 days before the meow bot destroyed it."

Dig Deeper on Application and platform security