More than 1,000 Elasticsearch and MongoDB databases across the world have been recently compromised by the new “Meow” attack that erases all database indexes and replaces them with a single word “meow.”
Unlike 2017 attacks against exposed ES clusters, no ransom is demanded, which leaves the motivation behind the “Meow” malware unclear at this time.
Main targets of “Meow” bot are open ES clusters and instances with unprotected ports accessible over the internet. The malware can send write requests to these unprotected databases via popular HTTP tools like cURL and thereby erase data. The malware can find new targets using open-source security tools like Shodan that help identify open databases and any device connected to the Internet.
Fortunately, the security of Elasticsearch clusters is a top priority at Qbox, so our customers have not been affected by this incident.
We need, however, to raise awareness about possible security implications of such attacks and the ways to prevent them proactively.
How Should You Protect Your Self-Hosted Elasticsearch Clusters?
“Meow” attacks might be still in progress, so it’s in your best interests to protect your self-hosted Elasticsearch clusters right now.
At Qbox, we promote the time-proven security practices for running Elasticsearch both in test and production environments. Our security engineers recommend the following actions to take if you run a self-hosted Elasticsearch cluster:
- Add authentication to prevent unauthorized access. Elasticsearch clusters do not require authentication by default, so it’s your responsibility to enable a strong authentication mechanism. This can be a simple HTTP-based authentication or integration with your existing authentication environments (LDAP, Kerberos, etc.).
- Set up your firewall. Make sure that your ES cluster cannot be accessed from the internet or internal network (e.g., WiFi network) if you don’t want to allow such access. This is especially important for applications in the development phase.
- Back up your data. Having an active backup schedule can help you recover from the loss of ES data like the ones that happened in the “Meow” attack case. If you were running a self-hosted ES cluster on AWS/GCE and that cluster fell prey to the “Meow” attack, your data would have been gone forever.
If you want to find more information about protecting your self-hosted ES clusters here are several articles we published earlier:
- How to Maintain Security of Elasticsearch, Kibana, and Logstash
- Getting to Know Elasticsearch: Securing your Environment
- To 8 Reasons you Should Upgrade to Hosted Elasticsearch
Security of Qbox-hosted Elasticsearch Clusters
Let us reiterate that users running Qbox-hosted Elasticsearch clusters are fully protected against “Meow” attacks. All Qbox-hosted Elasticsearch clusters are set up with basic auth (username/password) upon provisioning. This means that even if your cluster was identified by the “Meow” bot scanning the internet for Elasticsearch clusters, data stored in them cannot be accessed or modified without the knowledge of your security credentials.
Also, all communication between clients and ES servers is protected by TLS/SSL encryption, and we also enable whitelisting for both HTTP and transport traffic so you can limit access to your clusters only to authorized IPs.
Last, but not least, all Qbox ES clusters have a daily snapshotting schedule so you can have instant access to the latest backups of your data.
Give It a Whirl!
To get a built-in security for your Elasticsearch clusters, consider using Qbox hosted Elasticsearch service. It’s stable and more affordable — and we offer top-notch free 24/7 support. Sign up or launch your cluster here, or click “Get Started” in the header navigation. If you need help setting up, refer to “Provisioning a Qbox Elasticsearch Cluster.”