Credential Theft Attacks on ownCloud Instances Due to Lack of MFA
ownCloud has issued an urgent advisory to users of its Community Edition, emphasizing the immediate need to enable multi-factor authentication (MFA) following a series of credential theft incidents. According to a threat intelligence report by Hudson Rock, attackers leveraged infostealer malware such as RedLine, Lumma, and Vidar to compromise employee endpoints and harvest login credentials. These stolen credentials were then used to access ownCloud instances that did not have MFA enabled, resulting in unauthorized access to sensitive data. ownCloud clarified that its platform was not breached and that no zero-day vulnerabilities were exploited; instead, the attacks succeeded due to misconfigurations and the absence of enforced MFA on self-hosted deployments.
The company recommends several mitigation steps: enabling MFA across all user accounts, resetting passwords, auditing access logs for suspicious activity, and invalidating active sessions to force re-authentication. Security experts highlight that MFA can block over 99% of account takeover attempts, yet adoption remains low among self-hosted platforms. The incident has drawn attention to the broader risks facing open-source file-sharing solutions like ownCloud, Nextcloud, and Seafile, especially as infostealer malware becomes more prevalent and corporate data is increasingly targeted for sale on dark web markets. Organizations are urged to prioritize MFA and robust credential management to defend against similar attacks.
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
Corporate Cloud Data Breaches via Infostealer-Harvested Credentials
A threat actor known as **Zestix** has systematically breached dozens of major global enterprises by exploiting credentials harvested from infostealer malware such as RedLine, Lumma, and Vidar. These infostealers, often distributed through malvertising or phishing, collect login data from infected employee devices, which is then aggregated and sold or used on underground forums. Zestix specifically targeted cloud file-sharing platforms including ShareFile, Nextcloud, and OwnCloud, gaining unauthorized access to sensitive corporate data across sectors like aviation, defense, healthcare, utilities, and government. The breaches were enabled by the widespread absence of Multi-Factor Authentication (MFA), allowing attackers to use valid credentials—some of which had been exposed for years—to access and exfiltrate terabytes of confidential information. Security researchers from multiple firms, including Hudson Rock and InfoStealers, highlighted that Zestix operates as an initial access broker, auctioning access to compromised cloud environments and datasets. The attacks underscore a critical security gap: organizations' failure to implement or enforce MFA and to regularly rotate credentials, leaving them vulnerable to credential-based attacks. The scale and persistence of these breaches demonstrate the urgent need for improved credential hygiene and robust access controls to protect cloud-based assets from similar threats.
2 months agoCredential-Based Attacks and the Shift Toward Phishing-Resistant MFA
Recent high-profile breaches at major UK retailers, including M&S and Co-op Group, have highlighted the growing threat of identity-based attacks. Attackers used vishing techniques to obtain corporate passwords, which enabled ransomware deployment and resulted in significant financial and reputational damage. The distributed nature of modern IT environments, with resources spread across cloud and on-premises systems, has made identity the new security perimeter, increasing the value of credentials for cybercriminals. Infostealer malware and various forms of phishing, including smishing and vishing, are now primary methods for harvesting credentials, contributing to a surge in identity-related breaches across industries. To counter these threats, security experts emphasize the importance of robust multifactor authentication (MFA), particularly methods that are resistant to phishing. While traditional MFA methods such as one-time passwords (OTPs) sent via SMS or email are still widely used, they are increasingly vulnerable to social engineering and interception. The adoption of passkeys and other phishing-resistant MFA solutions is being promoted as the gold standard, with Microsoft reporting that MFA blocks over 99% of unauthorized access attempts. Organizations are urged to move beyond basic MFA and implement stronger, phishing-resistant authentication to protect against evolving identity-based attacks.
3 months agoCredential Compromise and the Risks of Password-Based Authentication
Cybercriminals are increasingly targeting enterprise credentials through phishing, brute force attacks, and exploitation of password reuse, leading to widespread compromise and monetization of login details. Attackers use tactics such as convincing phishing emails, credential stuffing, and the sale of stolen credentials on underground markets, enabling further exploitation including data theft and ransomware. The prevalence of password reuse and weak password management practices among employees exacerbates the risk, as users often rotate between a small set of passwords or make only minor variations, making it easier for attackers to gain access to multiple accounts once a single credential is compromised. Security experts are urging organizations to move away from traditional password-based authentication and adopt phishing-resistant, device-bound cryptographic solutions such as FIDO2, passkeys, and certificate-based authentication. These measures are seen as essential to counter the growing threat posed by automated attacks leveraging AI agents and large-scale credential theft. SaaS providers are also encouraged to integrate with identity platforms that support these advanced authentication methods to strengthen overall security posture and reduce the risk of credential-based breaches.
4 months ago