Hackers Exploit Flaws, Use Elastic Cloud to Manage Stolen Data

Cybersecurity experts have uncovered a sophisticated operation where malicious actors are exploiting known software vulnerabilities to steal sensitive system data, then using a legitimate cloud security platform to manage the stolen information. This campaign highlights a clever subversion of defensive tools, moving away from traditional infrastructure to blend malicious activity with normal network traffic.

Investigators at Huntress discovered that the threat actor utilized a free-trial account for Elastic Cloud’s SIEM platform to collect and analyze data stolen from compromised systems. Rather than establishing conventional command-and-control servers, the attacker funneled the exfiltrated data directly into their controlled Elastic instance. This effectively repurposed a security monitoring tool into a central hub for stolen data, exploiting flaws in software like SolarWinds Web Help Desk to gain initial access.

The attack involved deploying a specially crafted PowerShell script on infected machines. This script gathered comprehensive host details, including the operating system, hardware specs, Active Directory information, and patch levels. All this data was then transmitted to an ElasticSearch index named “systeminfo.” This approach allowed the attacker to use the SIEM’s native analytics to sort through victims and identify high-value targets for further exploitation.

The Elastic Cloud trial was created in late January and remained active for several days. Telemetry data showed the operator actively engaging with the environment through the Kibana interface, executing hundreds of actions to review the incoming victim data. The trial account was registered with a disposable email address from the domain quieresmail.com, which researchers linked to a Russian-registered temporary email service known as firstmail.ltd. This service operates hundreds of similar throwaway domains.

Further clues pointed to the attacker’s operational habits. They appeared to reuse simple, random eight-character identifiers across different parts of their infrastructure, including for email registrations and subdomains hosting tools on Cloudflare worker pages. Administrative access to the SIEM instance was traced back to IP addresses associated with the SAFING VPN privacy network, suggesting efforts to conceal the operator’s true location.

Data extracted from the attacker’s Elastic environment revealed the campaign’s significant reach. It impacted at least 216 hosts across 34 distinct Active Directory domains. The majority of compromised systems were servers, predominantly running Windows Server 2019 or 2022. Victim organizations spanned a wide range of sectors, including government agencies, universities, financial services firms, manufacturing companies, and IT service providers. Some hostnames indicated that vulnerabilities in other platforms, such as Microsoft SharePoint, were also being exploited.

In response to the discovery, researchers worked directly with Elastic and law enforcement agencies. Their collaboration focused on notifying the affected organizations and dismantling the malicious infrastructure. The specific Elastic Cloud instance used in this campaign has been taken offline. Huntress emphasized the importance of this coordinated effort, stating that victim notification was performed and the collaborative investigation was crucial to disrupting the threat actor’s operations.

(Source: InfoSecurity Magazine)