Protect your Elasticsearch deployments against attacks like “meow bot” — for free

"Security by default" is the concept that technology needs to be safe and secure right out of the box. It's why your smartphone locks when you leave it unattended, and why Elastic products come with free and open security features like TLS encrypted communication, role-based access control (RBAC), and more. It's also why you cannot disable security in an Elastic Cloud deployment. The simple step of just making security a default priority can go a long way.

In this post, we're going to take a look at the recent "meow bot" attacks. We'll look at how they happen and learn some simple steps to prevent them.

Sniffing out unsecured data

The issue of unsecured databases is growing. In 2019, 17 percent of all data breaches were caused by human error — twice as many as just a year before. And the IBM/Ponemon 2019 report found that the estimated probability of a company having repeated data breaches within two years grew by 31 percent between 2014 and 2019.

Why is this happening? Unsecured databases are the targets of a new cybercriminal economy that’s thriving for two key reasons: the growing market for customer data and low-cost tools that make it easier than ever for criminals to gain access. This isn't hacking, but simply mining and grabbing as soon as things pop up in the open.

The latest example is the recent "meow bot" attacks, which have already affected thousands of unsecured MongoDB and Elasticsearch databases. The automated attack script searches for open databases and then overwrites data with the word "meow" and a string of random numbers. The "meow bot" is just one of several inexpensive, large-scale systems that scan the entire Internet each day to find unsecured databases in hours and sometimes minutes. Elastic condemns these attacks and urges everyone to be more rigorous in storing their sensitive data.

Unfortunately, the database owners impacted in this incident mistakenly disabled or did not set up the features that best secure their customer data. This is not an issue of malicious intent, as developers or security personnel within organizations don’t always recognize how seemingly innocuous decisions like leaving a database unsecured during maintenance may have an impact down the line. 

Keeping your Elasticsearch data safe from "meow" attacks

Damaging attacks like these can be avoided with the free security features included in Elastic products. For our cloud users, security is enabled by default in our Elasticsearch Service on Elastic Cloud and cannot be disabled, so Elastic Cloud customers are not vulnerable to the problems that emerged in the "meow bot" attacks. 

Another free way to avoid these incidents is setting up external scanning systems that continuously check for exposed databases. These free tools, which are also used by the attackers, give security teams immediate notification when a developer has mistakenly left sensitive data unlocked. For example, a free scanner is available from Shadowserver.

To learn how to get started securing your Elastic deployments, read our blog on how to prevent an Elasticsearch server breach. You can find more general guidance on securing your deployment in our documentation. We also offer a free on-demand Fundamentals of Securing Elasticsearch course, which covers user authentication, role-based access control (RBAC), node-to-node encryption, IP filtering, HTTPS encryption, and more.