Ethical Hacking News
A recent surge in corporate data theft attacks on cloud file-sharing sites has left many organizations vulnerable to sensitive information exposure. Threat actor Zestix has been selling stolen credentials from dozens of companies on underground forums, highlighting the importance of robust security measures to prevent similar breaches.
Cloud file-sharing sites have become increasingly vulnerable to corporate data theft attacks. Threat actors are exploiting weaknesses in multi-factor authentication (MFA) protection. Dozens of companies, including Deloitte and KPMG, have been targeted by a threat actor known as Zestix. Initial access was obtained through info-stealing malware deployed on employee devices. MFA protection is often missing or outdated, allowing unauthorized access to services. The problem of cloud exposure stems from organizations' failure to follow good security practices.
In a disturbing trend, cloud file-sharing sites have become increasingly vulnerable to corporate data theft attacks, with threat actors exploiting weaknesses in multi-factor authentication (MFA) protection to gain unauthorized access to sensitive information. According to cybercrime intelligence company Hudson Rock, dozens of companies have been targeted by a threat actor known as Zestix, which has been offering stolen corporate data for sale on underground forums.
The investigation into the attacks revealed that initial access was obtained through credentials collected by info-stealing malware such as RedLine, Lumma, and Vidar deployed on employee devices. These types of malware are commonly distributed through malvertising campaigns or ClickFix attacks, targeting data stored by web browsers (credentials, credit cards, personal info), messaging apps, and cryptocurrency wallets.
A threat actor with valid credentials can gain unauthorized access to a service, such as a file-sharing platform, when MFA protection is missing. The fact that some of the analyzed stolen credentials have been present in criminal databases for years suggests failure to rotate them or invalidate active sessions even after extended periods.
Multiple breaches advertised by Zestix operate as an initial access broker (IAB) on underground forums, selling access to high-value corporate cloud platforms. Hudson Rock identified thousands of infected computers, including some at Deloitte, KPMG, Samsung, Honeywell, and Walmart.
The researchers report that in addition to the listed victims, their threat intelligence data indicates that cloud exposure is a broader systemic problem stemming from organizations' failure to follow good security practices. They found an additional set of 30 victims sold under the alias "Sentap," but did not validate it in the same way.
Hudson Rock noted that they have notified ShareFile and will also alert Nextcloud and OwnCloud about the verified exposures so they can take the appropriate action.
In light of this disturbing trend, cybersecurity experts emphasize the importance of maintaining robust security measures, including regular password rotation, multi-factor authentication, and implementing good security practices to prevent such breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybersecurity-Alert-Cloud-File-Sharing-Sites-Under-Siege-by-Corporate-Data-Theft-Attacks-ehn.shtml
Published: Mon Jan 5 17:01:21 2026 by llama3.2 3B Q4_K_M
