An unsecured server belonging to a data analytics company exposed an estimated 30TB of business records online, resulting in the firm being held to ransom.

Polecat is a UK-based agency that offers “a combination of advanced data analytics and human expertise, [to help] the world’s largest organisations achieve reputation, risk, and ESG (environmental, social, and governance) management success”.

On October 29, 2020, the Wizcase CyberResearch Team, led by Ata Hakcil, discovered that an Elasticsearch server owned by Polecat was exposing roughly 30TB of data on the web without any authentication required to access records, or any form of encryption in place.

Wizcase found records dating back to 2007, including employee usernames and hashed passwords, over 6.5 billion tweets, social media records, and over one billion posts gathered from different blogs and websites.

Meow attack

The public information gathered by Polecat is harvested on a daily basis and tends to relate to subjects such as Covid-19, firearms, politicians, racism, and healthcare.

Polecat was notified of the data exposure by Wizcase on October 30 and November 1. However, it can take mere moments for an open server or bucket to be detected and abused by threat actors – and this happened a day after the researcher’s discovery.

On October 30, a Meow attack was launched against the database. Meow attacks replace database indexes with the suffix ‘gg-meow’, leading to the destruction of swathes of data.

Wizcase says that approximately half of the firm’s records were wiped, and then in a second wave a further few terabytes of information were deleted.

At this point, roughly 4TB remained in the server. Most of these records were then destroyed and a ransom note was spotted by the researchers that demanded 0.04 Bitcoin (BTC) – roughly $550 at the time – in return for the files’ recovery.