At a glance.
- Meowing as a potential privacy threat.
- Student athlete database open for inspection?
- Third-party privacy risk to universities.
"Meowing" as a potential threat to privacy.
An ongoing wave of destructive incidents, “Meow attacks,” appears to use an automated tool to find and wipe exposed Elasticsearch and MongoDB instances. According to BleepingComputer, there are no ransom notes, no threats, no crowing, and no explanation for the attacks. One possible explanation is that the attacks represent tough love from vigilantes pushing admins to secure their databases, but that’s speculation: “meowing” could represent anything from misdirection, to preparation for a protection racket, to an appetite for destruction, to the lulz.
As Chris Clements, VP of Solutions Architecture at Cerberus Sentinel told us in emailed comments, such freelance Death-Wish-esque vigilantism is by no means as common as it may have been at one time. "It’s possible that the perpetrator is attempting to stop data disclosure from these unsecured databases," he wrote, adding:
"However, doing so in such a broad and indiscriminate fashion deprives potential victims from knowing if their information has been compromised so that they can take actions to prevent identity theft or be on the lookout for targeted spear phishing campaigns created using the compromised data. Organizations should understand the security implications of the technologies they deploy. Elasticsearch and MongoDB can be powerful analytic tools, however, [they] are known to have very insecure default settings. Exposing these applications to the internet without understanding the potential risk is the cybercrime equivalent of having your cash register stolen because you left it out on the street."
Javvad Malik, Security Awareness Advocate, KnowBe4 also acknowledged that meowing could be the work of a "greyhat" who'd had enough and wasn't taking any more: "The lack of ransom or demands, or any form of notice given by 'meow' suggests this could be the work of a greyhat who has had enough of unsecured databases and taken drastic measures themselves."
Meowing hasn't yet, so far as is known, engaged in compromising personal information or indeed any other kind of information: the attacks seem purely destructive. The privacy issue arises from the common problem of misconfigured databases and the threat of ill-intentioned parties using automated tools to find them. From wiper to data thief can be a small step. Malik went on to say:
"While this behaviour" (that is, greyhat vigilantism) "cannot be condoned, it is imperative that organisations create a culture of security so that they are less likely to leave such databases publicly exposed - and if they are, they can fix it in a timely manner once informed. Unsecured public-facing web databases have been an ongoing issue for organisations over the last few years. Despite efforts by cloud providers to help secure databases, organisations repeatedly leave them exposed publicly, either by accident or through staff lacking the required knowledge."
Unsecured recruiting support database for college athletics.
Cybernews reports that CaptainU, an online platform designed to connect high school athletes with colleges and universities interested in recruiting them, maintained a database of student athletes' information in an exposed AWS S3 bucket. They say that CaptainU says it intended the database to be publicly accessible, but Cybernews argues that there may have been at least a failure to fully notify affected users and obtain their explicit permission to handle their data in this open fashion. The database consists largely of pdfs, Word documents, and Excel files. It's said to contain the following information:
- grade point averages
- "unofficial transcripts"
- "ACT, SAT, and PSAT scores"
- "student IDs"
- "student and parent names, addresses, phone numbers, and some email addresses"
- "messages from students to coaches"
- "pictures and videos of athletic achievements"
- "recruitment material, camp schedules, and other coaching-related documents"
Universities and the services that feed them sustain privacy incidents.
Blackbaud, a leading provider of financial and fundraising tools (essentially a customer relationship management cloud system) to not-for-profits, disclosed last week that it had been hit with ransomware, and that it had paid the ransom to recover its systems. The NonProfit Times says that the South Carolina-based company, which enjoys a global practice, declined to say how much it had paid, but that it had been able to confirm that stolen data had been destroyed, and that it believed the impact on its customers to have been limited.
Some of Blackbaud's customers, however, are investigating the Blackbaud incident for its potential effect on their own stakeholders. The York Press reports that the University of York is investigating whether the following information was exposed: "name, title, gender, date of birth and student number; addresses and contact details; course and educational attainment details; professional details, such as the profession people work in; a record of engagement with alumni and fundraising activities; and information about people’s interests they have provided to the university."
GoLocalProv reports that the Rhode Island School of Design is also investigating, and has sent its own disclosure letter that reads in part, "Compromised files may have included constituents’ demographics, their degree information, RISD affiliations, RISD Museum memberships, and other data internal to RISD and the museum’s fundraising and engagement activities, such as event participation, notes from meetings, donor prospect ratings, and philanthropic giving history."
We heard from Paul Edon, senior director, technical services at Tripwire, who commented specifically on the University of York's portion of the incident.
“Universities are appealing targets for cyber criminals and this attack against the University of York is a prime example. Aside from the obvious value of intellectual property, university servers store an incredible amount of personal identifiable data of the students and staff, which criminals can use for all sorts of purposes, from phishing and credential stuffing attacks, to more sophisticated identity theft scams.
"Many universities employ third-parties to help manage and secure their systems. It is imperative that these third-parties are aligned with the university in their security objectives and are regularly audited to ensure they are meeting the service level agreements. Any misalignment or failure to meet agreed service levels can result in serious loop-holes in the overall security of the institution.
"While adopting new solutions can help organizations protect their assets, it is by creating a solid cybersecurity foundation that universities can truly minimise the risk of a breach. A solid cybersecurity foundation requires the use of foundational controls such as anti-virus, security configuration management, change management, vulnerability scanning, access control, two-factor authentication (not an exhaustive list), and the thorough training of students and staff about the threats that can come through their inbox. Phishing campaigns still manage to get around email filtering systems and unfortunately continue to be successful attack vectors for many attackers.”
And again, of course, don't forget to configure databases properly.