Executive Summary

A threat actor known as Zestix (also tracked as 'Sentap') is auctioning sensitive data from approximately 50 major global companies after gaining unauthorized access to their corporate file-sharing systems. The campaign, detailed by cybersecurity firm Hudson Rock, highlights a critical and widespread security gap: the failure to enforce multi-factor authentication (MFA). The actor utilized credentials stolen by common infostealer malware to simply 'walk through the front door' of enterprise file synchronization and sharing (EFSS) platforms, including Progress ShareFile, Nextcloud, and OwnCloud. The breaches affected organizations in critical sectors like aviation, housing, and government infrastructure, with victims including Iberia Airlines and Sekisui House. This incident serves as a stark reminder that in an era of rampant infostealer infections, password-only security is obsolete, and MFA is an essential baseline control.

Threat Overview

The Zestix campaign epitomizes the opportunistic nature of modern cybercrime, which leverages the massive underground economy for stolen credentials. The threat actor, an initial access broker active since at least 2021, did not need to develop or purchase exploits. Instead, they capitalized on a pre-existing and growing problem: employee devices infected with infostealer malware. These malware families, such as RedLine, Lumma, and Vidar, are designed to steal a wide range of data from infected computers, with a primary focus on credentials saved in web browsers.

Once Zestix acquires these logs from dark web marketplaces, they systematically test the stolen username/password pairs against high-value corporate targets, specifically EFSS portals. These platforms are treasure troves of sensitive data, often containing intellectual property, financial records, customer PII, and strategic plans. The success of the campaign across 50 different organizations demonstrates that the lack of MFA on externally-facing, data-rich applications is not an isolated issue but a systemic failure.

Technical Analysis

The attack is brutally simple and effective:

1. Initial Infection (Out of Scope for Zestix): An employee at a target company inadvertently infects their work or personal device (if used for work) with an infostealer malware like RedLine or Lumma. This often happens through phishing, malicious ads, or trojanized software downloads.
2. Credential Harvesting: The infostealer exfiltrates saved credentials from the victim's web browsers, along with other data like cookies and system information, and sends them to a C2 server.
3. Data Acquisition (Zestix): Zestix purchases or acquires the infostealer logs from the malware operator or a marketplace.
4. Credential Stuffing/Re-use: The actor uses automated tools to test the stolen credentials against known corporate login portals for services like ShareFile, Nextcloud, and OwnCloud.
5. Unauthorized Access: When a valid credential pair is found for an account not protected by MFA, the actor gains immediate access.
6. Data Exfiltration: Zestix proceeds to exfiltrate large volumes of sensitive data from the compromised file-sharing portal.
7. Monetization: The actor auctions the stolen data and/or the access itself on cybercrime forums.

MITRE ATT&CK Mapping

• T1078 - Valid Accounts: The core of the attack is the use of legitimate, stolen credentials to access systems.
• T1537 - Transfer Data to Cloud Account: While the actor exfiltrates from a cloud account, the principle of abusing cloud storage for malicious ends applies.
• T1567.002 - Exfiltration to Cloud Storage: The attacker exfiltrates data from the compromised corporate cloud storage to their own storage.
• T1119 - Automated Collection: The initial credential theft is performed by automated infostealer malware.

Impact Assessment

The impact on the 50 breached companies is multifaceted and severe. Direct financial losses can result from regulatory fines (e.g., GDPR), incident response costs, and potential extortion demands. The theft of dozens or hundreds of gigabytes of data per victim exposes them to intellectual property loss, competitive disadvantage, and reputational damage. For victims like Iberia Airlines and Pickett and Associates (a utility engineering firm), the breach could have implications for operational security and critical infrastructure. This campaign demonstrates that a single, low-sophistication actor can cause widespread damage by exploiting a common, basic security oversight.

Detection & Response

• Impossible Travel Alerts: Monitor for logins to corporate accounts from geographically distant locations in a short time frame. This is a classic indicator of credential abuse.
• Anomalous Data Access: Use CASB (Cloud Access Security Broker) or native platform logging to detect unusual data access patterns, such as a single user downloading an abnormally large volume of files.
• Endpoint Detection: Deploy EDR (Endpoint Detection and Response) solutions to detect and block infostealer malware like RedLine and Lumma on employee devices before credentials can be stolen.
• D3FEND Techniques: Utilize D3-LAM: Local Account Monitoring and D3-DAM: Domain Account Monitoring to identify suspicious login attempts and patterns against cloud services.

Mitigation

• Mandate MFA Everywhere: The single most effective mitigation is to enforce phishing-resistant MFA on all externally accessible applications, especially those containing sensitive data like EFSS platforms. This is a non-negotiable baseline security control. This directly maps to M1032 - Multi-factor Authentication.
• Strong Password Policies: While secondary to MFA, enforcing strong, unique passwords for all accounts reduces the risk of credential stuffing from other breaches. This aligns with M1027 - Password Policies.
• User Training: Educate users on the dangers of infostealer malware and the importance of not saving corporate credentials in personal browser profiles. This is part of M1017 - User Training.
• Limit Credential Saving: Use browser policies and endpoint management tools to prevent or limit the saving of credentials in web browsers, particularly on unmanaged devices.