A sweeping cybercrime campaign has compromised cloud file storage systems at over 50 major organizations worldwide, exposing terabytes of sensitive data due to stolen credentials harvested by infostealer malware.
According to a new report by Hudson Rock, a threat actor operating under the aliases “Zestix” and “Sentap” has been auctioning access to corporate ShareFile, Nextcloud, and OwnCloud portals on underground forums.
The investigation, conducted exclusively for Infostealers.com, traces the campaign's origins to logs generated by common infostealer malware families like RedLine, Lumma, and Vidar. These malware strains infect user endpoints, often personal or improperly secured work devices, stealing saved credentials and browser session data. In many of the analyzed cases, these credentials remained valid for months or even years, with no password rotation or session invalidation in place. The core failure across victim organizations was not a technical vulnerability in the platforms themselves, but the lack of multi-factor authentication (MFA).
The attackers gained access simply by logging into corporate file portals using valid credentials found in infostealer logs, often dating back several years. Zestix has become a prominent Initial Access Broker (IAB) in Russian-speaking dark web forums, selling access to compromised cloud instances, sometimes for tens of thousands of dollars in cryptocurrency.
Hudson Rock
Zestix's operation targeted enterprise-grade file synchronization and sharing (EFSS) platforms, specifically Citrix ShareFile, Nextcloud, and OwnCloud. These platforms, while offering strong security features, rely heavily on organizations enforcing best practices. Without MFA or credential hygiene, they become low-hanging fruit.
Victims span multiple industries and continents, including:
- Pickett & Associates (US engineering firm): 139 GB of classified LiDAR files and blueprints used in utility infrastructure, including for Duke Energy and Tampa Electric.
- Intecro Robotics (Turkey): 11.5 GB of sensitive STEP files related to defense projects, including ITAR-controlled documents for UAV and jet fighter components.
- Maida Health (Brazil): 2.3 TB of health records from the Brazilian Military Police, exposing medical and personal data of law enforcement personnel.
- Iberia Airlines (Spain): 77 GB of flight maintenance data, technical documentation for A320 aircraft, and proprietary airworthiness records.
- CRRC MA (US): Complete server compromise of train manufacturer for LA Metro, including SCADA systems, GPS coordinates of secure facilities, and firmware source data.
Also affected were legal firms, ISPs, software vendors, and healthcare platforms, some handling highly sensitive personal or national security-related information. For instance, GreenBills, a US medical billing firm, lost nearly 40 GB of protected health information (PHI), and K3G Solutions in Brazil leaked internal ISP network configurations, including Huawei and ZTE OLT backups.
Hudson Rock
However, it is essential to note that these findings do not constitute proof of a breach at the named organizations, as those firms have not issued official announcements as of writing.
Hudson Rock's intelligence data reveals that thousands of companies, including top-tier enterprises such as Deloitte, Honeywell, and Walmart, and even US federal agencies, have employees or partners whose cloud access credentials are currently circulating in infostealer logs. While these firms were not directly listed by Zestix, the data suggests they are at imminent risk.
Organizations can defend against these attacks by enforcing MFA on all internal and external access points, auditing for credential reuse, rotating passwords regularly, and monitoring employee endpoints.
Leave a Reply