Executive Summary
In early 2024, a novel threat actor known as "Zestix" orchestrated a widespread credential theft campaign targeting enterprise file-sharing environments across multiple sectors. Using advanced infostealer malware, Zestix harvested cloud credentials at scale, exploiting organizations that had not enforced multi-factor authentication (MFA). The attackers subsequently gained unauthorized access to sensitive files and regulated business data from approximately 50 companies, causing both data exfiltration and operational disruptions. The breach underlines significant weaknesses in authentication and access controls within cloud ecosystems, with impacts ranging from compromised intellectual property to potential compliance violations.
The incident underscores the urgent need for robust access controls and MFA as essential defenses in today’s cloud-first environments. With identity-driven breaches rising and attackers automating large-scale infostealer campaigns, organizations face increasing regulatory and reputational pressure to modernize and enforce cloud security policies.
Why This Matters Now
This breach demonstrates how the absence of multi-factor authentication continues to be a major vulnerability exploited by sophisticated threat actors in the cloud era. As infostealers become more commodity and cloud adoption accelerates, enterprises must urgently address identity and credential security gaps to mitigate large-scale data theft and regulatory exposure.
Attack Path Analysis
Zestix gained initial access to enterprise cloud environments by harvesting credentials using infostealers, leveraging the widespread lack of MFA. With valid credentials, they escalated privileges using compromised accounts to access sensitive resources. The attacker then moved laterally within cloud networks and file-sharing instances by abusing internal permissions and lack of segmentation. Command and control was maintained through covert outbound connections, utilizing allowed egress pathways. Exfiltration of data occurred via file-sharing SaaS exports and outbound traffic. The overall impact included large-scale credential theft, unauthorized data access, and potential business disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers used infostealer malware to capture cloud account credentials, exploiting the absence of MFA controls on both user and service accounts.
Related CVEs
CVE-2023-28771
CVSS 9.8A command injection vulnerability in Zyxel ZyWALL allows unauthenticated remote attackers to execute arbitrary code.
Affected Products:
Zyxel ZyWALL – < 4.60
Exploit Status:
exploited in the wildCVE-2021-43936
CVSS 9.8A command injection vulnerability over HTTP allows remote attackers to execute arbitrary code on the target machine.
Affected Products:
Various Web Servers – Multiple
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Credentials from Password Stores
Phishing: Spearphishing Attachment
Valid Accounts: Cloud Accounts
Brute Force: Password Guessing
Gather Victim Identity Information
Application Layer Protocol: Web Protocols
Automated Exfiltration
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication for All Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA (Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM 2.0) – Strong Authentication
Control ID: Identity Pillar: Authentication
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical exposure to credential theft infostealers targeting cloud file-sharing platforms, requiring enhanced MFA and zero trust segmentation for regulatory compliance.
Health Care / Life Sciences
Vulnerable to Zestix infostealer attacks on file-sharing systems containing PHI, necessitating encrypted traffic controls and threat detection capabilities.
Information Technology/IT
High-risk target for credential harvesting attacks on cloud infrastructure, demanding multicloud visibility and egress security policy enforcement measures.
Professional Training
File-sharing breach risks expose training materials and credentials, requiring kubernetes security and anomaly detection for educational content protection.
Sources
- Lack of MFA Is Common Thread in Vast Cloud Credential Heisthttps://www.darkreading.com/cloud-security/lack-mfa-common-thread-vast-cloud-credential-heistVerified
- Dozens of organizations fall victim to infostealers after failing to enforce MFAhttps://www.techradar.com/pro/security/dozens-of-organizations-fall-victim-to-infostealers-after-failing-to-enforce-mfaVerified
- One criminal, 50 hacked organizations, and all because MFA wasn't turned onhttps://www.theregister.com/2026/01/06/50_global_orgs_hacked/Verified
- Zestix/Sentap Cybercrime Campaign Targets ShareFile, Nextcloud, and OwnCloud via Stolen Credentials: Widespread Data Breaches in 2024-2026https://www.rescana.com/post/zestix-sentap-cybercrime-campaign-targets-sharefile-nextcloud-and-owncloud-via-stolen-credentialsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, network microsegmentation, comprehensive east-west traffic visibility, and strong egress policy enforcement would have significantly limited attackers’ ability to escalate, move laterally, exfiltrate data, or maintain persistence, even after initial credential compromise.
Control: Multicloud Visibility & Control
Mitigation: Early detection of anomalous credential use and suspicious login behaviors.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized privilege escalation beyond scoped identities.
Control: East-West Traffic Security
Mitigation: Prevents unmonitored movement between critical workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks and detects unauthorized outbound communication.
Control: Cloud Firewall (ACF)
Mitigation: Prevents data exfiltration via unapproved outbound and SaaS traffic.
Rapid detection and incident response minimizes business disruption.
Impact at a Glance
Affected Business Functions
- Data Management
- File Sharing
- Cloud Services
Estimated downtime: 7 days
Estimated loss: $500,000
Sensitive corporate data, including engineering blueprints, defense project files, healthcare records, legal documents, and financial archives, were exfiltrated due to unauthorized access to cloud file-sharing platforms.
Recommended Actions
Key Takeaways & Next Steps
- • Mandate strong MFA and identity-based access controls for all cloud accounts and services.
- • Implement Zero Trust segmentation and least privilege policies on all cloud and SaaS workloads.
- • Enforce strict east-west traffic controls and microsegmentation to limit lateral movement.
- • Apply granular outbound egress filtering and continuous traffic inspection to prevent unauthorized data exfiltration.
- • Deploy comprehensive cloud-native visibility and threat detection platforms for rapid detection and response to credential misuse and anomalous activity.
