"a threat actor abuses another free trial tl ; dr huntress discovered a threat actor was exploiting vulnerabilities ( like solarwinds web help desk ) and exfiltrating victim data to a free trial instance of elastic cloud siem. the actor used the siem for victim triage, and the inf…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
95%
"trials of security software, and this time we informed elastic and the relevant parties so the activity could be investigated and the attacker ’ s activities addressed to give further time for victim outreach and notification, as well as our multi - prong coordination with law en…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
44%
"ip addresses stemmed from a safing _ vpn tunnel. this looks to be safing “ spn ” or “ svpn ”, an option for a specialized privacy network alternative to traditional vpns and tor. notably, the 51. 161. 152 [. ] 26 was also observed by unit 42 in a toolshell exploitation case again…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
40%
"retail, and construction. victims span 37 different time zones across multiple continents. numerous hostnames within the victim dataset pointed to continued exploitation of other high - severity vulnerabilities of late, suggesting the actor continued to perform opportunistic atta…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
A deep dive into a threat actor who exploited SolarWinds Web Help Desk, abused an Elastic Cloud SIEM free trial for exfiltration and triage, revealing key infrastructure.