Recent research by Huntress has uncovered a concerning trend where threat actors are not only exploiting security vulnerabilities to breach networks but are also leveraging legitimate cloud infrastructure—specifically Elastic Cloud (Elasticsearch)—to manage and store stolen data.
Understanding the Threat: Legitimate Tools, Illicit Intent
Cybercriminals are constantly evolving their tactics to evade detection. By "living off the land," they use tools that are already present in the environment or, in this case, trusted third-party services to blend in with normal traffic.
In this campaign, attackers exploit security flaws in internet-facing systems to gain initial access. Once inside, they steal sensitive data such as session cookies, credentials, and configuration files. Rather than setting up a obvious command-and-control (C2) server that might trigger alerts, they exfiltrate this data to free-tier or compromised Elastic Cloud (SIEM) instances. This allows them to query, organize, and manage the stolen data via a web interface, making their traffic look like standard cloud usage.
For defenders, this highlights a critical gap: monitoring for known bad is no longer enough. We must also monitor for anomalous usage of legitimate services.
Technical Analysis
The Attack Vector
- Initial Exploit: Threat actors identify and exploit vulnerabilities in public-facing assets. While the specific vulnerability can vary, these often include unpatched content management systems (CMS) or exposed services.
- Data Theft: Post-exploitation scripts are deployed to scrape the device for valuable data (e.g., browser cookies, RDP connection history, or API keys).
- Exfiltration to the Cloud: The stolen data is transmitted via HTTPS to an Elastic Cloud instance. Because many organizations use Elastic for logging or observability, firewalls and proxies often allow this traffic by default.
- Data Management: The attacker uses the Elastic search interface (Kibana) to parse the stolen data, effectively turning the security tool into a stolen asset management system.
Affected Systems & Severity
- Affected Products: Any internet-facing server or endpoint vulnerable to common web exploits (RCE, SQLi, Path Traversal). The exfiltration method specifically targets Elastic Cloud (hosted Elasticsearch).
- Severity: High. The use of trusted infrastructure for data exfiltration bypasses many traditional egress filtering mechanisms, allowing for prolonged data theft.
Defensive Monitoring
To defend against this, security teams must monitor outbound traffic for suspicious connections to Elastic Cloud infrastructure, particularly from endpoints or servers that do not have a business need to interact with these services.
Detecting Suspicious Connections to Elastic Cloud
The following KQL query for Microsoft Sentinel or Microsoft 365 Defender can help identify potential data exfiltration attempts to Elastic Cloud domains. It looks for high volume of data sent or connections initiated by unusual processes (like PowerShell or Curl) to Elastic endpoints.
DeviceNetworkEvents
| where Timestamp > ago(7d)
// Filter for known Elastic Cloud domains (elastic.co, elasticsearch.aws, etc.)
| where RemoteUrl has "elastic.co" or RemoteUrl has "elasticsearch.amazonaws.com" or RemoteUrl has "cloud.elastic.co"
// Exclude known legitimate agents or processes if necessary (adjust based on your environment)
| where not(InitiatingProcessFileName in~ ("java.exe", "elastic-agent.exe", "filebeat.exe", "metricbeat.exe"))
// Summarize data sent by device and process
| summarize TotalBytesSent = sum(SentBytes), ConnectionCount = count() by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl
| where TotalBytesSent > 5000000 or ConnectionCount > 100 // Thresholds: 5MB data or 100+ connections
| project DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, TotalBytesSent, ConnectionCount, Timestamp
| order by TotalBytesSent desc
Audit for Suspicious PowerShell Network Activity
Attackers often use PowerShell to upload data. You can use this PowerShell snippet to audit recent network connections made by PowerShell on a specific machine (requires administrative privileges and event log access).
# Check for recent PowerShell network events (requires appropriate logging enabled)
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational -MaxEvents 1000 -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'HostApplication.*powershell.exe' -and $_.Message -match 'Network' } |
Select-Object TimeCreated, Id, LevelDisplayName, Message |
Format-List
Remediation
To protect your organization from attackers using Elastic Cloud as a data hub, implement the following defensive measures:
-
Patch and Vulnerability Management:
- Ensure all public-facing systems are patched immediately. The initial entry point is almost always an unpatched vulnerability. Prioritize external-facing web servers and VPN endpoints.
-
Implement Strict Egress Filtering:
- Move from a "default allow" to a "default deny" policy for outbound internet traffic.
- Explicitly allow-list the cloud services your organization uses. If you do not use Elastic Cloud, block access to
*.elastic.coand*.elasticsearch.amazonaws.comat the firewall or proxy level.
-
Monitor Cloud Service Usage (CASB/SWG):
- Utilize a Cloud Access Security Broker (CASB) or Secure Web Gateway (SWG) to gain visibility into shadow IT. These tools can detect when unauthorized cloud services are being accessed from within your network.
-
Audit and Credential Hygiene:
- Rotate credentials for any accounts that may have been exposed during the breach window.
- Audit your own Elastic Cloud (or similar SIEM) instances to ensure no unauthorized indices or data pipelines have been created by attackers using compromised credentials.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.