What Is the Meow Bot and How Can Strong Passwords Help Protect Yourself Against It?

Meow Bot

In early-July, a team of security researchers led by Bob Diachenko discovered a database full of 1.2TB of personal user information. It contained anything from emails and plaintext passwords to names, physical addresses, home IPs, and PayPal API links. The database was accessible from anywhere in the world and was not protected by a password. After a short investigation, the experts discovered that it belongs to the developer of seven related VPN applications. It took a lot longer than it should have, but on July 15, the data was finally taken offline.

Less than a week later, Diachenko noticed that it had appeared again. This time, however, someone decided that more drastic measures need to be taken in order to ensure that the vendor of the offending apps has taken note. The said someone operates the Meow Bot.

Meow Bot hits unsecured databases all over the world

The hackers had located the exposed database and had overwritten all its records with random alphanumerical strings. The word "meow" was appended to each and every corrupt record, which was a bit unusual and caught the researchers' attention. When they used a specialized search engine called Shodan, they discovered that the database exposed by the VPN applications was far from the only one affected by the same attack.

Cybersecurity news website Bleeping Computer initially found about 1,800 misconfigured Elasticsearch and MongoDB databases hit by the same hacker, but in a matter of just a few days, this number grew to nearly 4,000. The attacks were launched by an automated script that was hiding behind a ProtonVPN IP.

Meow Bot was well and truly on the loose, and it managed to catch everyone's attention. This, by the way, was the hackers' goal.

Meow Bot is all about raising awareness

The hackers don't leave ransom notes demanding a sum of money in exchange for restoring the data, and there's no evidence to suggest that they even download a copy of it before replacing it with gibberish and cat noises.

On the face of it, at least, Meow Bot's creators have no financial or any other incentive for doing this. They appear to be vigilante cybersecurity enthusiasts who just want to show the world how common misconfigured databases really are.

Indeed, far too many organizations put sensitive corporate and personal information in poorly secured Elasticsearch and MongoDB databases, and Bob Diachenko's recent experience with the leaky VPN apps shows that sometimes, informing the vendor and showing them their mistake is not necessarily going to secure the data.

Completely corrupting the database is likely to have a more noticeable effect. But does that mean that Meow Bot's operators deserve a pat on the back?

The people who perform these types of attacks are often referred to as "grey hat hackers." That's because although their primary goal is to improve the state of their target's cybersecurity, their actions are often on the wrong side of the law.

Corrupting terabytes of exposed data is likely to raise some awareness around the problem of poorly configured databases, and, if nothing else, it will prevent cybercriminals from getting their hands on the information. At the same time, however, you can't argue with the fact that tampering with someone else's data is illegal.

It's a big moral dilemma, and opinions are likely to be divided. In the end, the only thing we can hope for is that the net result will be fewer poorly secured databases.

August 10, 2020

Leave a Reply