Threat Actor Uses Elastic Cloud SIEM to Manage Stolen Data from Multiple Organizations

Timeline

1. 09.03.2026 17:45 1 articles · 3h ago

   Threat Actor Exploits Software Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data

   A threat actor exploited multiple software vulnerabilities to steal data from at least 216 systems across 34 Active Directory domains. The attacker used a free-trial instance of Elastic Cloud's SIEM platform to collect, store, and analyze stolen data. The campaign affected organizations across various sectors, including government, education, finance, and manufacturing. The infrastructure was taken down after discovery.

   Show sources

   • Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45

   Open in new tab

Information Snippets

• The threat actor exploited flaws in widely used enterprise software, including SolarWinds Web Help Desk.

  First reported: 09.03.2026 17:45
  1 source, 1 article
  Show sources

  • Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45

• The attacker used an encoded PowerShell command to gather detailed host information, including OS details, hardware specifications, Active Directory data, and installed patch information.

  First reported: 09.03.2026 17:45
  1 source, 1 article
  Show sources

  • Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45

• The stolen data was transmitted to an ElasticSearch index named 'systeminfo' within an attacker-controlled Elastic Cloud instance.

  First reported: 09.03.2026 17:45
  1 source, 1 article
  Show sources

  • Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45

• The Elastic Cloud deployment was created on January 28, 2026, and remained active for several days.

  First reported: 09.03.2026 17:45
  1 source, 1 article
  Show sources

  • Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45

• The trial account was registered using a disposable email address linked to the domain quieresmail.com, which is associated with the Russian-registered temporary email network firstmail.ltd.

  First reported: 09.03.2026 17:45
  1 source, 1 article
  Show sources

  • Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45

• Administrative logins to the SIEM instance were traced to IP addresses originating from a SAFING VPN privacy network tunnel.

  First reported: 09.03.2026 17:45
  1 source, 1 article
  Show sources

  • Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45

• The campaign affected at least 216 hosts across 34 Active Directory domains, primarily running Windows Server 2019 or 2022.

  First reported: 09.03.2026 17:45
  1 source, 1 article
  Show sources

  • Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45

• Victims included government organizations, universities, financial services companies, manufacturing firms, IT service providers, and retailers.

  First reported: 09.03.2026 17:45
  1 source, 1 article
  Show sources

  • Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45

• The infrastructure used in the campaign has been taken offline after coordination with Elastic and law enforcement.

  First reported: 09.03.2026 17:45
  1 source, 1 article
  Show sources

  • Threat Actor Exploits Flaws and Uses Elastic Cloud SIEM to Manage Stolen Data — www.infosecurity-magazine.com — 09.03.2026 17:45