9 July 2021
Malicious software, also known as “malware”, refers to programs that are dangerous to IT systems. By taking control of the computer, the malware gains access to computer systems and damages or disables them.
The goal is to steal, modify or delete data before the administrator is aware of it. Also, demands for money can be illegally extracted in exchange for the stolen data. This is called a “ransomware”.
There is no typical profile that characterizes malware victims. Indeed, all companies can be infected regardless of their sector of activity, hence the importance of securing their data.
The Meow malware appeared in early July 2020 and spread exponentially. In fact, within five days, more than 3,000 databases are affected worldwide, and the number of victims is only increasing.
The targets of the malware are unsecured databases of companies that had left their files and those of their customers unprotected or very weak. Once the database is infiltrated, the information is erased and replaced by virtual meows, hence the name of the attack “Meow”.
No threats or ransom demands were made after each attack, with the data simply hacked and destroyed forever. By the end of July 2020, more than 4,000 databases were hit by malware and had their data erased beyond recovery.
One of the first victims of these attacks was UFO VPN, a company providing virtual private networks, otherwise known as VPNs. Security researcher Bob Diachenki had already discovered security anomalies in their Elasticsearch database and warned the company to remedy this risky situation.
Also, UFO VPN had assured to take the situation in hand by protecting their data more. Protection is too light since the second time it was the Meow malware that exploited these security weaknesses by completely deleting the data.
Even if there is no typical profile for being a victim of a cyberattack, security researchers have noticed that the targets of the “Meow” malware all had one thing in common. Indeed, all the companies attacked had little or no security in their databases.
Their attack plan was thus predefined and simple to follow. Find the unsecured databases by scanning the Internet to select the open ones and hack them. Without any protection system, no password or security key had to be broken since the information of the customers, as well as the companies, was exposed to everyone’s eyes.
Also, researchers have been racing against the malware to discover insecure databases first and inform their administrators.
Among all databases, Elasticsearch and MongoDB were first affected, then these attacks spread to other types of databases such as Cassandra, Redis, Hadoop, or CouchDB.
On July 22, the main victims were Elasticsearch, with 1395 affected bases, MongoDB with 383 affected bases, and Redis with 54 affected bases.
Without any ransomware or specific threats, this cyber-attack can be characterized as a “learning experience”. It proves that it is easy to affect and attack companies that leave their database unprotected. Indeed, the cybercriminals behind this malware did not need to hack passwords to reach databases open to everyone.
The objective of the Meow malware was to highlight the ease of hacking unsecured data. The incompetence of companies to protect their customer’s data by underlining their lack of attention and vigilance was the final observation of these attacks.
Today, it is essential to protect data stored in the cloud via a password or a security key. Moreover, with the health crisis, the number of cyber-attacks has increased tenfold, and their danger has intensified.Discover our SensePost hacking trainings