Ongoing Meow attack has nuked >1,000 databases without telling anyone why

[Pickles von Brine]

 

 

Summary

More than 1,000 unsecured databases so far have been permanently deleted in an ongoing attack that leaves the word “meow” as its only calling card, according to Internet searches over the past day.

 

Quotes

Quote

The attack first came to the attention of researcher Bob Diachenko on Tuesday, when he discovered a database that stored user details of the UFO VPN had been destroyed. UFO VPN had already been in the news that day because the world-readable database exposed a wealth of sensitive user information, including:

• Account passwords in plain text
• VPN session secrets and tokens
• IP addresses of both user devices and the VPN servers they connected to
• Connection timestamps
• Geo-tags
• Device and OS characteristics
• Apparent domains from which advertisements are injected into free users’ Web browsers

Besides amounting to a serious privacy breach, the database was at odds with the Hong Kong-based UFO’s promise to keep no logs. The VPN provider responded by moving the database to a different location but once again failed to secure it properly. Shortly after, the Meow attack wiped it out.

Representatives of UFO didn’t immediately respond to an email seeking comment.

Since then, Meow and a similar attack have destroyed more than 1,000 other databases. At the time this post went live, the Shodan computer search site showed that 987 ElasticSearch and 70 MongoDB instances had been nuked by Meow. A separate, less-malicious attack tagged an additional 616 ElasticSearch, MongoDB, and Cassandra files with the string “university_cybersec_experiment.” The attackers in this case seem to be demonstrating to the database maintainers that the files are vulnerable to being viewed or deleted.

My thoughts

Um... What?  Unsecure databases are just being deleted with the word "meow". This almost sounds like something a 13 year old did it. It is so weird. I am not sure what to really say other than protect your stuff, make sure things are siloed and use protection. Though... um... thoughts? Any idea why in the hell someone would do this? I cannot thing of it anything other than someone being an ass. 

 

Source

 

[rcmaehl]

Silly cat, that's not Meow Mix
 

 

[SpaceGhostC2C]

2 minutes ago, Pickles - Lord of the Jar said:

 

My thoughts

Um... What?  Unsecure databases are just being deleted with the word "meow". This almost sounds like something a 13 year old did it. It is so weird. I am not sure what to really say other than protect your stuff, make sure things are siloed and use protection. Though... um... thoughts? Any idea why in the hell someone would do this? I cannot thing of it anything other than someone being an ass. 

 

I mean, the biggest ass is the one keeping logs despite claiming not to, then leaving that out in the open...

This could be like that IoT virus that infects devices, removes botnets, and secure the device so botnets can't return. Of course, it locks out the device owners as well in the process, so not "harmless", but more like a "guerrilla security" type of thing. This looks similar in that it is destructive (way more than the botnet example), but it also prevents data leaks. Maybe some angry ITSec specialist went on a crusade, "if you can't securely store data then you better not have any data" type of logic.

[Haro]

it was @seon123. 

[spartaman64]

seems like a good thing honestly. why are people storing passwords in plaintext in unsecured servers. and the vpn company shouldnt have been keeping those logs

[Kisai]

14 minutes ago, Pickles - Lord of the Jar said:

 

My thoughts

Um... What?  Unsecure databases are just being deleted with the word "meow". This almost sounds like something a 13 year old did it. It is so weird. I am not sure what to really say other than protect your stuff, make sure things are siloed and use protection. Though... um... thoughts? Any idea why in the hell someone would do this? I cannot thing of it anything other than someone being an ass. 

 

Source

 

There are whitehat hackers, and then there are blackhat hackers. Whitehat's find the problems and try to get the people responsible to fix them. Blackhat's find the problems and exploit or destroy them, for fun.

 

Like it's an eventuality that someone will use the same exploit to just destroy everything exploitable where as botnets would rather not destroy their victim's machines otherwise they would destroy themselves in the process. Like that is one version of the Armageddon for botnets.

 

https://en.wikipedia.org/wiki/CIH_(computer_virus)

 

This was the last known time that something was known to permanently destroy PC's on purpose and was widely proliferated. Stuxnet was a narrowly targeted one that targeted PLC's. Most other destructiveness comes from malware designed to extort the victim, and doesn't spread like a virus. Wannacry is probably the last thing that was semi-destructive with this nature, and was something that could have been prevented had the NSA not sat on it.

[sub68]

at least this person speaks english

I know that in japnesse meow is nya

[Bombastinator]

Over 1000 data bases is a lot of databases.  Just because the database it was discovered having attacked was ugly doesn’t mean they all were.  Makes me wonder if there’s a commonality amongst them other than them being unsecured.  Also a common way to hide ones tracks is to make a lot of them.  Attacker might have only been interested in one of the databases but killed the lot to obfuscate  involvement.  If it was just one database a lone might more easily be drawn.

[Master Disaster]

Seems like something the owner of the channel Linus Cat Tips might now something about

[justpoet]

Honestly…even if a meow ends up being a company that has my data (or even ESPECIALLY if it does), I applaud the meow hacker.  They're basically just removing what should be private data from the public view, and from the hands of those who already showed they couldn't be trusted with it.

[Master Disaster]

8 minutes ago, Kisai said:

There are whitehat hackers, and then there are blackhat hackers. Whitehat's find the problems and try to get the people responsible to fix them. Blackhat's find the problems and exploit or destroy them, for fun.

 

Like it's an eventuality that someone will use the same exploit to just destroy everything exploitable where as botnets would rather not destroy their victim's machines otherwise they would destroy themselves in the process. Like that is one version of the Armageddon for botnets.

 

https://en.wikipedia.org/wiki/CIH_(computer_virus)

 

This was the last known time that something was known to permanently destroy PC's on purpose and was widely proliferated. Stuxnet was a narrowly targeted one that targeted PLC's. Most other destructiveness comes from malware designed to extort the victim, and doesn't spread like a virus. Wannacry is probably the last thing that was semi-destructive with this nature, and was something that could have been prevented had the NSA not sat on it.

There.s also the ones who operate between the two called Grey Hats. These go one of two ways, they operate using questionable methods but do submit bugs to be fixed or they will submit a bug, claim its bounty then release it anyway (after the grace period has expired).

 

Actually within the last few weeks it was revealed that a prominent hacker in the Vita/Playstation scene received payment from Sony to not reveal a PS4 Kernel Exploits for a year. The exploit was patched months ago now but the year is almost up and the PS4 scene is hoping that when he does release it will lead to PS4s up to Firmware V7 being exploitable.

[minibois]

Cats: known to meow and knock things over.

How to remove an SQL table (part of a DB): DROP TABLE table_name;

 

I rest my case.

[Master Disaster]

1 minute ago, minibois said:

Cats: known to meow and knock things over.

How to remove an SQL table (part of a DB): DROP TABLE table_name;

 

I rest my case.

You know who else is famous for dropping things? The owner of Linus Cat Tips...

 

The plot thickens.

[minibois]

Just now, Master Disaster said:

You know who else is famous for dropping things? The owner of Linus Cat Tips...

The plot thickens.

And Razer has been known to create cat ear headsets... Linus used a clone of such headsets, where the ears were speakers..

 

 

In conclusion: Linus stole Razer Valerie

[williamcll]

This seems like a grey hat hacker showing that those databases are vulnerable.

[Bombastinator]

47 minutes ago, justpoet said:

Honestly…even if a meow ends up being a company that has my data (or even ESPECIALLY if it does), I applaud the meow hacker.  They're basically just removing what should be private data from the public view, and from the hands of those who already showed they couldn't be trusted with it.

Still makes assumptions about those thousand plus databases.  We only know about one of them.  They should all be looked at

[Bombastinator]

40 minutes ago, williamcll said:

This seems like a grey hat hacker showing that those databases are vulnerable.

Might be.  There are a bunch of possibles.

[rewird]

Is there news if it's been limited to only MySQL backed DB? or have they hit PSQL as well? honestly, I'm not surprised; I think people believe that there is a-lot more organization within companies with security and data, especially at the startup -> small stage, the amount of client DB we've had to clean & fix was astonishing when I started dealing with WP owners. More often than not, the database is exposed because companies are tied down with so much tech overhead and things get forgotten; solid reminder for ip whitelisting & tidying up at the end of the day..

[5x5]

1 hour ago, minibois said:

Cats: known to meow and knock things over.

How to remove an SQL table (part of a DB): DROP TABLE table_name;

 

I rest my case.

As the proud slave of multiple cats, I concur.

[brwainer]

16 minutes ago, rewird said:

Is there news if it's been limited to only MySQL backed DB? or have they hit PSQL as well? honestly, I'm not surprised; I think people believe that there is a-lot more organization within companies with security and data, especially at the startup -> small stage, the amount of client DB we've had to clean & fix was astonishing when I started dealing with WP owners. More often than not, the database is exposed because companies are tied down with so much tech overhead and things get forgotten; solid reminder for ip whitelisting & tidying up at the end of the day..

The source only mentions ElasticSearch, MongoDB, and Cassandra - all of which have nothing in common with MySQL/MariaDB and PostgreSQL.

[Zodiark1593]

I’d have left a picture of a kitty that says “I’m hungry.”

[Kisai]

2 hours ago, rewird said:

Is there news if it's been limited to only MySQL backed DB? or have they hit PSQL as well? honestly, I'm not surprised; I think people believe that there is a-lot more organization within companies with security and data, especially at the startup -> small stage, the amount of client DB we've had to clean & fix was astonishing when I started dealing with WP owners. More often than not, the database is exposed because companies are tied down with so much tech overhead and things get forgotten; solid reminder for ip whitelisting & tidying up at the end of the day..

Wordpress is just utter rubbish and people should not use it unless they extensively blog/engage with comments. It's not a CMS so much as an incomplete collection of modules that doesn't quite do enough in the base (eg no caching) but the stuff it does come with or encourage you to use bloats the RAM use to the point that it overwhelms "free hosting" and "cheap hosting" sites, so they won't allow people to run it if gets more than 10 page views per second.

 

[Bombastinator]

47 minutes ago, Caroline said:

Well that is what he would say.  Insinuation without any evidence for his own personal advantage has been something we’ve seen a lot of.  Not to say it didn’t come from China.  Would be an extremely strange thing for their government to do.   Lot of people in China and individuals there are just as likely to be opinionated as anywhere else.   I still think a careful look at exactly what databases got scrubbed could prove enlightening.  There may have been only one actual target, with the others attacked merely to confuse the issue.

[Trik'Stari]

10 hours ago, Kisai said:

https://en.wikipedia.org/wiki/CIH_(computer_virus)

Fascinating read.

[kirashi]

11 hours ago, Pickles - Lord of the Jar said:

My thoughts

Um... What?  Unsecure databases are just being deleted with the word "meow". This almost sounds like something a 13 year old did it. It is so weird. I am not sure what to really say other than protect your stuff, make sure things are siloed and use protection. Though... um... thoughts? Any idea why in the hell someone would do this? I cannot thing of it anything other than someone being an ass. 

Well, on one hand, it's a terrible practice to leave databases open to the public internet without any form of secure, 2 factor authentication or token system. Maybe they did it for the lulz, maybe they have an agenda, or maybe we'll never know. One thing we do know is that there is always a relevant XKCD.  

https://xkcd.com/327/

 

9 hours ago, VegetableStu said:

 

 

Ah, yes, good old Cyriak, up to his tricks again.