ownCloud Urges MFA Activation Following Credential Theft
▼ Summary
– ownCloud is urging its users to enable multi-factor authentication (MFA) to protect against data theft from attacks using stolen credentials.
– The company clarified its platform was not hacked; attackers used credentials stolen by infostealer malware from employee devices.
– The warning follows a Hudson Rock report detailing breaches of self-hosted file-sharing platforms, including ownCloud instances.
– ownCloud also recommends resetting passwords, invalidating active sessions, and reviewing access logs for suspicious activity.
– The stolen credentials were linked to infected computers at major organizations, and a threat actor is selling data stolen from these platforms.
The file-sharing service ownCloud is urging its global user base to immediately activate multi-factor authentication (MFA) following a series of credential theft incidents. This critical security measure is designed to block unauthorized access even when login credentials are stolen, protecting sensitive data for the platform’s over 200 million users, which include major entities like CERN, the European Commission, and the ZF Group.
A recent security advisory from ownCloud references findings by cybersecurity firm Hudson Rock, which detailed breaches affecting self-hosted file-sharing platforms, including some ownCloud Community Edition instances. The company was quick to clarify the nature of the attack. ownCloud emphasized that its platform itself was not hacked and no zero-day vulnerabilities were exploited. Instead, the compromise followed a different path: threat actors first harvested user credentials using information-stealing malware like RedLine or Vidar installed on employee devices. These stolen usernames and passwords were then used to successfully log into accounts where MFA was not enabled.
In response, the company’s guidance is unequivocal. Users should enable MFA on their instances without delay to add an essential layer of defense. This step ensures that even if passwords are stolen, an additional verification factor is required for access. Beyond MFA, ownCloud recommends a series of complementary actions to lock down accounts. These include resetting all user passwords, invalidating existing sessions to force fresh logins, and conducting a thorough review of access logs to identify any suspicious activity.
This security warning arrives amidst broader concerns over corporate data theft. A threat actor known as Zestix has been advertising stolen data from numerous companies, believed to be sourced from breaches of platforms including ShareFile, Nextcloud, and ownCloud. Hudson Rock’s analysis suggests the initial access for these attacks likely came from credentials siphoned by infostealer malware, which had infected thousands of computers across corporate networks. The firm identified compromised devices within high-profile organizations such as Deloitte, KPMG, Samsung, and the U.S. Centers for Disease Control and Prevention, highlighting the widespread nature of the credential theft problem.
(Source: Bleeping Computer)
