Full Report
Crim used infostealer to get cloud credentials If you don't say "yes way" to MFA, the consequences can be disastrous. Sensitive data belonging to about 50 global enterprises is listed for sale – and, in some cases, has already been sold – on the dark web following a major infostealer campaign, with apparent victims including American utility engineering firm Pickett and Associates; Japan's homebuilding giant Sekisui House; and Spain's largest airline Iberia.…
Analysis Summary
# Incident Report: Widespread Data Theft via Infostealer Exploiting Lack of MFA
## Executive Summary
A major infostealer campaign, attributed to the threat actor Zestix/Sentap, resulted in the compromise of cloud credentials belonging to approximately 50 global enterprises. The attacker exploited the lack of mandatory Multi-Factor Authentication (MFA) enforcement on these accounts to gain unauthorized access to enterprise file synchronization and sharing (EFSS) platforms. Sensitive data from victims across critical sectors, including aerospace, utilities, and aviation, has been listed for sale or already sold on the dark web.
## Incident Details
- Discovery Date: Initial dark web listings noted around Monday, December 29, 2025 (inferred from article publication date of Tue 6 Jan 2026 and Hudson Rock's "Monday report").
- Incident Date: Ongoing campaign, active since at least 2021, with specific recent compromises tied to the listed data sales.
- Affected Organization: About 50 global enterprises, including Pickett and Associates (US Utilities/Engineering), Sekisui House (Japan Homebuilding), and Iberia (Spain Airline).
- Sector: Multiple, including Utilities, Aviation, Robotics/Defense, Legal, and Healthcare.
- Geography: Global (US, Japan, Spain, Turkey, Brazil mentioned).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing, dating back to at least 2021. Recent access exploitation occurred after employee devices were infected.
- Vector: Employee downloads of infostealer-laden files.
- Details: Employees inadvertently download malware that harvests saved credentials and browser history from their devices.
### Lateral Movement
- Details: Not explicitly detailed, but access was leveraged directly against cloud EFSS platforms (e.g., ShareFile, Nextcloud, OwnCloud) using valid, stolen credentials. The success implied that network movement may have been less necessary than direct cloud portal access.
### Data Exfiltration/Impact
- Date/Time: Dates of exfiltration linked to when data became available for sale on the dark web.
- Details: Sensitive corporate data, including engineering data, military IP, customer details (VINs, addresses), technical safety data, and SCADA information, was collected from EFSS portals and prepared for sale.
### Detection & Response
- Details: Detection appears to have been initiated externally by Hudson Rock, an Israeli cybersecurity company, in a report published Monday (approx. 12/29/2025). Response actions by individual victims are largely undisclosed, though Progress Software confirmed the issue was credential-based, not platform vulnerability related.
## Attack Methodology
- Initial Access: Information-stealing malware running on employee endpoints (e.g., specific infostealers not named, but mentioned generically).
- Persistence: Not explicitly detailed for the attacker, but implied through the sustained use of harvested credentials.
- Privilege Escalation: Not explicitly required; access was gained via compromised/stolen valid credentials.
- Defense Evasion: Bypassed security controls by using legitimate credentials against systems lacking MFA.
- Credential Access: Infostealer malware harvested stored credentials and browser sessions from infected end-user devices.
- Discovery: Attacker likely used stolen credentials to map accessible file shares or data repositories within the targeted EFSS portals.
- Lateral Movement: Access leveraged valid organizational credentials to reach specific file-sharing portals.
- Collection: Targeting Enterprise File Synchronization and Sharing (EFSS) platforms (ShareFile, Nextcloud, OwnCloud).
- Exfiltration: Data was gathered and then listed/sold on the dark web (e.g., 139 GB of engineering data for 6.5 BTC ~$585,000).
- Impact: Unauthorized access resulting in mass data theft and public exposure/sale of classified and sensitive corporate data.
## Impact Assessment
- Financial: Sales prices listed in BTC (e.g., $585,000 for one specific dataset), indicating significant potential financial loss and ransom opportunities.
- Data Breach: Highly sensitive data across 50 organizations, including weapon system specs (Intecro Robotics), critical utility blueprints (Pickett), health records (Maida Health), and fleet safety data (Iberia).
- Operational: Potential operational disruption due to the exposure of critical infrastructure and technical schematics.
- Reputational: Significant reputational damage to affected organizations due to public data sales highlighting security failures.
## Indicators of Compromise
- Network Indicators: None specified (defanged).
- File Indicators: None specified (related to the infostealers themselves).
- Behavioral Indicators: Successful logins to cloud EFSS platforms (ShareFile, Nextcloud, OwnCloud) using valid credentials without corresponding MFA challenge/response activity. Pervasive failure in credential hygiene (old credentials being exploited).
## Response Actions
- Containment: Not explicitly detailed, but likely involved mandatory password resets and immediate enforcement of MFA across all services for affected firms.
- Eradication steps: Not detailed, but required comprehensive endpoint remediation following infostealer infection.
- Recovery actions: Not detailed, but required restoring data integrity and assessing the extent of data exposure.
## Lessons Learned
- MFA is essential: The primary failure across all compromises was the lack of enforced Multi-Factor Authentication, allowing simple password theft to equate to full account compromise.
- Credential Hygiene: Organizations demonstrated a "pervasive failure" by neglecting to rotate old passwords or invalidate sessions, allowing credentials harvested years ago to still be exploitable.
- Endpoint Security: Infostealer infection relies on lax security regarding file downloads and endpoint hygiene.
## Recommendations
- Implement mandatory MFA immediately for all external and internal cloud access, especially EFSS platforms, without exception.
- Institute strict credential rotation policies for all enterprise accounts.
- Enhance endpoint protection and user awareness training specific to identifying and avoiding potentially malicious downloads (infostealer traps).
- Regularly inventory and audit the security configurations of EFSS platforms (ShareFile, Nextcloud, etc.) to ensure proper access controls are in place.