While the motivation behind the “Meow” bot attacks is unknown, the menace is still out there wiping out open source databases left unsecured on the internet, prompting Elastic to offer clear steps that organizations can take to safeguard their data.
The bot came on the scene about two weeks ago when it was reported that it wiped out more than 1,000 open source databases, mostly on ElasticSearch and MongoDB. The bot clears out a database, only leaving the word “Meow” in the file.
Although Josh Bressers, head of product security at Elastic, did not want to speculate on the nature of the attack, he said it was not the work of a nation state or a hacktivist nor was it financially motivated.
“Nobody has claimed responsibility,” Bressers said. “Basically they spray across the internet and randomly delete databases.”
In a blog post Bressers laid out some steps security teams can take to secure their data, including:
- Understand your infrastructure. Start by understanding what data you have. Set up external scanning systems that continuously check for exposed databases. These free tools, which are also used by the attackers, give security teams immediate notification when a developer has mistakenly left sensitive data unlocked. For example, Shadowserver has a free scanner available.
- Lock down your data. It’s a basic point, but Bressers says people are busy and may have forgotten to enable the security features in the database or could have accidently shut it off. Just double-check and make sure to enable security.
- Consider strong authentication. So many of these database wipes happen because people put unsecured databases on the public Internet. At the very least, issue a user name and password for the database. If it’s realistic and financially possible for your organization, there are also any number of MFA options, from text PIN codes to X.509 certificates to tools such as Google Authenticator.
- Remember authorization. This follows authentication. Sure, it makes sense to use MFA, but organizations also need to prioritize who has access to the data. For example, HR should only have access to employee information, and the accounting departments should only have access to budget and tax data.
- Hire a service provider. Not every company has the expertise to set the security configuration and manage the data properly. Find a service provider that can handle data management and has a strong security portfolio.
Because Elastic sets security for customers by default, none of the company’s paid customers’ databases were wiped out in the Meow attacks, Bressers said.