Cybersecurity firm Hudson Rock reported on , that corporate data is being stolen from cloud file-sharing platforms such as ShareFile, Nextcloud, and ownCloud. The attacks rely on compromised credentials and succeed largely because multi-factor authentication (MFA) is not enabled on many affected accounts. A high-profile initial access broker (IAB), identified as Zestix (also known as Sentap), is reportedly facilitating unauthorized access and selling stolen data.
Hudson Rock‘s report outlines a campaign in which threat actors gained access to corporate cloud file-sharing services belonging to approximately 50 major global enterprises. Some of the credentials used in these intrusions had been circulating in criminal databases for years, pointing to failures in password rotation and session invalidation. According to the report, Zestix searches infostealer logs for corporate cloud service URLs and uses valid usernames and passwords to log into environments where MFA is not enforced. Affected sectors reportedly include aviation, defense, healthcare, utilities, mass transit, telecommunications, legal, real estate, and government.Operating on underground forums, Zestix specializes in selling access to high-value corporate cloud platforms. As an initial access broker, the actor focuses on gaining entry and monetizing that access by reselling it to other cybercriminal groups, including ransomware operators. This division of labor lowers the barrier for follow-on attacks and accelerates intrusion timelines. The access sold by Zestix is typically obtained through credentials harvested by infostealer malware families such as RedLine, Lumma, and Vidar, which are commonly distributed via malvertising campaigns. Reported victims include American utility engineering firm Pickett and Associates, Turkey’s Intecro Robotics, and Brazil’s Maida Health, with exposed data volumes ranging from tens of gigabytes to several terabytes.
Hudson Rock describes the campaign as notable not for technical sophistication but for its simplicity. In the firm’s assessment, the attacker often gains access by logging in with valid credentials where MFA is absent. This underscores persistent weaknesses in corporate credential hygiene, including long-term password reuse and the failure to revoke access even after credentials are known to be compromised.
While reports reference roughly 50 affected organizations, the total number of unique victims remains unconfirmed. Public summaries did not disclose specific financial losses, the full scope of data exfiltrated across all incidents, or precise timelines for each unauthorized access event.
Organizations that rely on cloud file-sharing platforms are expected to re-evaluate their authentication and access control practices. Cybersecurity researchers and law enforcement agencies are likely to continue monitoring the activities of IABs such as Zestix, as the widespread availability of stolen credentials suggests that similar attacks will persist against inadequately protected cloud environments.
Organizations should consider the following steps to reduce exposure to these threats:
- Audit all cloud file-sharing platforms, including ShareFile, Nextcloud, and ownCloud, for signs of unauthorized access or abnormal activity.
- Enforce multi-factor authentication (MFA) across all corporate cloud services and user accounts.
- Require regular credential rotation and invalidate active sessions tied to former employees or compromised accounts.
- Educate employees about phishing and infostealer malware, emphasizing safe browsing and download practices.
- Monitor security logs for unusual login behavior, including access from unfamiliar devices or locations.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates
