MFA Bypass Leads to Major Infostealer Attack on 50 Firms
▼ Summary
– A threat actor named Zestix stole and auctioned sensitive data from dozens of organizations by exploiting credentials for cloud services like ShareFile, Nextcloud, and OwnCloud.
– The breaches were successful because the targeted organizations had not secured their accounts with multi-factor authentication (MFA), allowing simple password access.
– The stolen credentials were obtained from infostealer malware logs, some of which were several years old, highlighting failures in password rotation and session management.
– Victims included major organizations like Iberia Airlines, a law firm for Mercedes-Benz USA, and a Turkish defense manufacturer, with stolen data ranging from technical files to military IP.
– The actor operates as an initial access broker on Russian cybercrime forums and is linked to Iranian nationality and the Funksec cybercrime group.
A widespread security failure involving the absence of multi-factor authentication (MFA) has enabled a significant data breach, impacting approximately fifty companies globally. A new cybersecurity report details how a threat actor successfully accessed and stole vast amounts of sensitive corporate and customer data, subsequently putting it up for sale. The attacker exploited stolen credentials for cloud file-sharing platforms, walking straight through the digital front door because MFA was not enforced.
The individual, operating under the aliases “Zestix” and “Sentap,” reportedly searched dark web marketplaces for logs containing login details for services like ShareFile, Nextcloud, and OwnCloud. These credentials were originally harvested by information-stealing malware, or infostealers, such as RedLine, Lumma, and Vidar. With no additional authentication barriers in place, the actor could directly access, download, and auction the data stored in these accounts.
A critical insight from the investigation involves the extended threat latency. Some of the compromised credentials were fresh, taken from recently infected computers. Others, however, had been sitting dormant in infostealer logs for several years. This situation underscores a severe lapse in basic credential management. Passwords were never changed, and active login sessions were never terminated, allowing an old malware infection to escalate into a current, full-scale data disaster.
The financially motivated actor appears active on private Russian cybercrime forums, presenting as an initial access broker who sells network entry points to other criminals. Intelligence also links the Sentap identity to an Iranian national and an association with the Funksec cybercrime group.
The list of affected organizations is substantial and spans multiple industries and countries. Iberia Airlines reportedly lost 77 gigabytes of technical safety documentation and fleet data. The law firm Burris & Macomber, which provides counsel for Mercedes-Benz USA, had over 18 gigabytes of sensitive client information, corporate secrets, and litigation strategy files exposed.
In Brazil, Maida Health suffered the theft of more than two terabytes of health records related to the Brazilian Military Police. A Turkish defense manufacturer, Intecro Robotics, had over 11 gigabytes of military intellectual property compromised. These incidents collectively illustrate that catastrophic breaches do not always require advanced technical exploits.
Security experts warn that this pattern signals a troubling trend for enterprise defense. As one analyst noted, the ability for someone to exfiltrate 77 gigabytes of critical flight maintenance data using a password that is three years old represents a profound failure of fundamental security hygiene, not a sophisticated hack. It is a stark reminder that neglecting core protections like MFA and regular credential rotation can render any organization vulnerable, regardless of its size or sector.
(Source: InfoSecurity Magazine)
