A database that contains the personal data of over 3.1 million patients was exposed on the internet and was eventually wiped out by the Meow bot.
A security researcher named Volodymyr ‘Bob’ Diachenko found the exposed database on July 13, 2020. There was no required password to access the database, which contained data including patients’ names, telephone numbers, email addresses, and treatment places. Diachenko tried to determine the owner of the database and learned that it Adit, a medical software company created it. Adit provides online booking and patient management software program for medical and dental practices. Diachenko sent a message to Adit to advise the company about the exposed database, however, there was no response. After a few days, Diachenko learned that the Meow bot attacked the information.
The Meow bot came out in late July scanning the web for exposed databases. While security researchers like Diachenko perform scans to find exposed information and then contact the owners of the data to inform them of the unsecured data, what the Meow bot does is to search and destroy. Upon finding the exposed database, the Meow bot overwrites the information using random numbers and appends the word “meow.”
It is not known who or which group is behind the Meow bot. It is also not known what is the intent behind the hundreds of attacks. A lot of threat actors look for exposed databases in the cloud to steal or encrypt the data then they demand a ransom payment from the database owners. However, with the Meow bot attacks, there seems to be no financial motive.
It isn’t completely certain if information is stolen before being overwritten, however, a number of security researchers have mentioned that data theft is not the goal, rather the intent is to stop cybercriminals from obtaining the information of data subjects and/or send a communication to data holders that their inability to protect the data will lead to the destruction of the data.
By deleting the database, the information doesn’t fall in the hands of cybercriminals. However, a prior study performed by Comparitech revealed that malicious actors are continually hunting for exposed information and usually find exposed Amazon S3 buckets and Elasticsearch databases within hours of being exposed. Considering that the database was compromised for about 10 days prior to the search and destroy by the Meow bot, it is possible that multiple parties potentially found and obtained the data before its deletion.
In this incident, the personal information exposed was limited, however cybercriminals could still use that data for phishing campaigns.