A Threat Actor Abuses Another Free Trial

Huntress discovered a threat actor who exploited multiple vulnerabilities to compromise servers across dozens of organizations and exfiltrate system and Active Directory metadata (approx. 216 hosts spanning 34 domains) into a free Elastic Cloud SIEM trial; analysis of the Elastic deployment revealed attacker telemetry (disposable emails, Cloudflare worker subdomains, IPs linked to a SAFING_VPN, user-agent and host fingerprints) and active triage behavior, and Huntress coordinated with Elastic, other security teams, and law enforcement to notify victims and have the instance taken down.