Corporate Data Theft: Cloud File-Sharing Sites Under Attack
▼ Summary
– A threat actor named Zestix is selling corporate data stolen from dozens of companies, likely by breaching their ShareFile, Nextcloud, and OwnCloud file-sharing platforms.
– Initial access was likely obtained using employee credentials stolen by info-stealer malware like RedLine, Lumma, and Vidar, often when multi-factor authentication (MFA) was not enabled.
– The stolen data, ranging from gigabytes to terabytes, includes sensitive information from aviation, defense, healthcare, and government sectors, posing security and espionage risks.
– Hudson Rock’s analysis indicates this is a systemic problem, with thousands of infected corporate computers identified, due to failures in credential rotation and security practices.
– The cybersecurity firm has notified the affected file-sharing platform providers about the verified exposures so they can take action.
A significant threat to corporate data security has emerged, with a cybercriminal group actively selling sensitive information stolen from dozens of organizations. The breach appears to stem from compromised employee credentials used to access popular cloud file-sharing platforms like ShareFile, Nextcloud, and OwnCloud. This incident underscores a critical vulnerability in many corporate security postures: the failure to implement and enforce multi-factor authentication (MFA) on critical business services.
The threat actor, identified as Zestix, operates as an initial access broker on underground forums. Their method of entry is alarmingly straightforward. Initial access is believed to have been obtained using employee usernames and passwords stolen by common information-stealing malware, such as RedLine, Lumma, and Vidar. This malware often infects devices through malvertising or phishing attacks, harvesting data from web browsers, messaging apps, and other software. With these valid credentials in hand, Zestix simply logs into corporate file-sharing instances where MFA is not enabled.
Cybercrime intelligence firm Hudson Rock, which investigated the activity, notes a troubling pattern. Some of the stolen credentials used in these breaches have been available in criminal databases for years. This indicates that the victim organizations failed to rotate these passwords or invalidate active sessions over extended periods, leaving persistent vulnerabilities. The targeted sectors are extensive and high-stakes, including aviation, defense, healthcare, utilities, telecommunications, and government agencies.
After gaining access, Zestix exfiltrates massive volumes of data, which they then advertise for sale. The offerings are staggering in both size and sensitivity, ranging from tens of gigabytes to several terabytes. Advertised data includes aircraft maintenance manuals, defense engineering files, customer databases, health records, utility infrastructure maps, ISP network configurations, and government contracts. Exposure of such information poses severe risks, from corporate espionage and privacy violations to potential national security concerns.
Hudson Rock’s analysis suggests this is not an isolated problem but a systemic one. The researchers correlated stolen credential data with public information to identify likely breach points. They confirmed that in at least 15 cases, employee credentials for these cloud services were definitively collected by infostealers. Furthermore, their threat intelligence points to a much wider issue, having identified thousands of infected corporate computers at major firms, including some at Deloitte, KPMG, Samsung, Honeywell, and Walmart.
While unilateral verification means public confirmation from the listed companies is absent, the evidence is compelling. Hudson Rock has taken steps to notify the affected cloud platform providers, ShareFile, Nextcloud, and OwnCloud, about the verified exposures so they can assist their customers. This incident serves as a powerful reminder that robust credential hygiene and mandatory MFA are non-negotiable defenses for any organization using cloud-based collaboration tools to protect sensitive corporate data.
(Source: Bleeping Computer)
