Corporate Cloud Data Breaches via Infostealer-Harvested Credentials
A threat actor known as Zestix has systematically breached dozens of major global enterprises by exploiting credentials harvested from infostealer malware such as RedLine, Lumma, and Vidar. These infostealers, often distributed through malvertising or phishing, collect login data from infected employee devices, which is then aggregated and sold or used on underground forums. Zestix specifically targeted cloud file-sharing platforms including ShareFile, Nextcloud, and OwnCloud, gaining unauthorized access to sensitive corporate data across sectors like aviation, defense, healthcare, utilities, and government. The breaches were enabled by the widespread absence of Multi-Factor Authentication (MFA), allowing attackers to use valid credentials—some of which had been exposed for years—to access and exfiltrate terabytes of confidential information.
Security researchers from multiple firms, including Hudson Rock and InfoStealers, highlighted that Zestix operates as an initial access broker, auctioning access to compromised cloud environments and datasets. The attacks underscore a critical security gap: organizations' failure to implement or enforce MFA and to regularly rotate credentials, leaving them vulnerable to credential-based attacks. The scale and persistence of these breaches demonstrate the urgent need for improved credential hygiene and robust access controls to protect cloud-based assets from similar threats.
Related Entities
Threat Actors
Malware
Organizations
Sources
2 more from sources like cyber security news and bleeping computer
Related Stories
Credential Theft Attacks on ownCloud Instances Due to Lack of MFA
ownCloud has issued an urgent advisory to users of its Community Edition, emphasizing the immediate need to enable multi-factor authentication (MFA) following a series of credential theft incidents. According to a threat intelligence report by Hudson Rock, attackers leveraged infostealer malware such as RedLine, Lumma, and Vidar to compromise employee endpoints and harvest login credentials. These stolen credentials were then used to access ownCloud instances that did not have MFA enabled, resulting in unauthorized access to sensitive data. ownCloud clarified that its platform was not breached and that no zero-day vulnerabilities were exploited; instead, the attacks succeeded due to misconfigurations and the absence of enforced MFA on self-hosted deployments. The company recommends several mitigation steps: enabling MFA across all user accounts, resetting passwords, auditing access logs for suspicious activity, and invalidating active sessions to force re-authentication. Security experts highlight that MFA can block over 99% of account takeover attempts, yet adoption remains low among self-hosted platforms. The incident has drawn attention to the broader risks facing open-source file-sharing solutions like ownCloud, Nextcloud, and Seafile, especially as infostealer malware becomes more prevalent and corporate data is increasingly targeted for sale on dark web markets. Organizations are urged to prioritize MFA and robust credential management to defend against similar attacks.
2 months ago
Credential Theft and Identity-Based Intrusions Surge Across Enterprises
**Credential compromise** and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly **2 billion** credentials indexed from malware combo lists, with the second half of the year up **50%** over the first and Q4 up **90%** over Q1. The trend is being driven by the industrialization of **infostealer malware**, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found **77%** fail to promptly disable former employees' accounts, **34%** grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access. A targeted phishing attempt against **Outpost24** illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid **DKIM** authentication via Amazon SES infrastructure, and a **seven-stage redirect chain** leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over **Cobalt Strike**, with data theft present in **77%** of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly **logging in rather than breaking in**, then using legitimate access and built-in tools to deepen compromise and extort victims.
TodayRecent Surge in Infostealer and Credential Theft Tactics
Threat actors have significantly escalated the use of information-stealing malware and credential theft techniques, leveraging new methods to bypass traditional security controls and exploit human vulnerabilities. Flashpoint reports an 800% increase in infostealer-driven credential theft in 2025, with over 1.8 billion accounts compromised globally. Attackers are neutralizing Windows' Mark of the Web (MotW) protections using drag-and-drop lures, exploiting vulnerabilities, and targeting alternative software to evade detection. The rise of session token theft is also enabling attackers to bypass multi-factor authentication (MFA), as tokens stored in browsers are increasingly targeted and sold on underground markets, often escaping detection by network-focused security tools. The evolving threat landscape is further complicated by the proliferation of infostealer malware, which has become a primary entry point for enterprise breaches. Security experts emphasize the need for organizations to look beyond malware signatures and focus on deceptive initial access vectors, such as malicious scripts, third-party supply chain risks, and user manipulation. Effective defense now requires monitoring browser behavior, treating client-side security as a core responsibility, and understanding the full identity attack surface to counteract these sophisticated evasion tactics.
2 months ago