A cybercriminal known as Zestix is offering to sell sensitive corporate data stolen from dozens of organizations after allegedly breaking into cloud file-sharing platforms such as ShareFile, Nextcloud, and OwnCloud, BleepingComputer reports.
The activity was uncovered by cybercrime intelligence firm Hudson Rock, which believes the initial access was gained using stolen employee login credentials.
According to Hudson Rock, the credentials were likely harvested through info-stealing malware, including RedLine, Lumma, and Vidar. These types of malware are commonly spread through malicious online advertisements or fake update prompts known as ClickFix attacks. Once installed on a device, infostealers quietly collect stored browser data such as usernames, passwords, credit card details, personal information, messaging app data, and cryptocurrency wallet credentials.
Security researchers say that when attackers obtain valid login details and multi-factor authentication is not enabled, it becomes easy to access corporate services without raising alarms. Hudson Rock noted that some of the stolen credentials found in criminal databases had been exposed years ago, suggesting that affected organizations failed to rotate passwords or invalidate old sessions over long periods of time.
Zestix is believed to be operating as an initial access broker, a type of threat actor that specializes in selling access to compromised corporate systems on underground forums. Hudson Rock says the affected organizations span a wide range of sectors, including aviation, defense, healthcare, utilities, mass transit, telecommunications, legal services, real estate, and government.
To identify the likely breach points, Hudson Rock analyzed infostealer logs and searched specifically for corporate cloud service URLs related to ShareFile and Nextcloud. In environments where multi-factor authentication was not enabled, the attacker was able to log in using valid usernames and passwords. The company also correlated its findings with publicly available images, metadata, and open source intelligence to strengthen its assessment.
In at least 15 confirmed cases, Hudson Rock found clear evidence that employee credentials for cloud file sharing platforms had been stolen by infostealing malware. However, the researchers caution that this verification is one-sided and that most of the companies involved have not publicly confirmed a breach. One possible exception is Iberia, although its recent disclosure has not been directly linked to Hudson Rock’s findings.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Zestix claims the stolen data ranges from tens of gigabytes to several terabytes and includes highly sensitive material. The listings advertise access to aircraft maintenance manuals, fleet data, defense and engineering documents, customer databases, health records, public transport schematics, utility LiDAR maps, internet service provider network configurations, satellite project files, ERP source code, government contracts, and legal documents.
