Hacker’s group Zestix infiltrated with data of ShareFile, Nextcloud and OwnCloud Instances leading to datatheft of corporate data at wide scale.

Cloud exposure vulnerabilities generally refers to risks if any misconfigurations that may occur in any cloud environments. The vulnerabilities often lead to unauthorized access to data that is stored in cloud, data breaches etc.

Managing any cloud applications generally gets complicated and exposures arises from any complicated platforms mostly. In case of cloud environments, the very dynamic and distributed nature of cloud services involves managing cloud infrastructure, applications and data. As per threat intelligence data, rise in cloud exposure is going broader and for organizations it is important to follow good security practices.

As per cybercrime intelligence company Hudson Rock, hackers obtained initial access through credentials collected by info-stealing malware such as RedLine, Lumma, and Vidar deployed on employee devices.

The three info stealers are usually distributed through malversating campaigns or ClickFix attacks. This type of malware commonly targets data stored by web browsers (credentials, credit cards, personal info), messaging apps, and cryptocurrency wallets.

These type of attack can be coordinated when threat actor’s with valid credentials, gain unauthorized access to a service, such as a file-sharing platforms, when multi-factor authentication (MFA) protection is missing.

What are infostealers?

Info stealer type malware that generally resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.

Info stealers may use many methods of data acquisition. The most common are:

• Hooking on to browsers and stealing credentials that are typed by the user
• Web injection scripts are used that adds extra fields to web forms and submitting information from them to a server owned by the attacker
• Stealing passwords saved in the system and cookies

Key findings from the Breach

In a report today, Hudson Rock notes that some of the analyzed stolen credentials have been present in criminal databases for years, indicating failure to rotate them or to invalidate active sessions even after extended periods.

Zestix operates as an initial access broker (IAB) on underground forums, selling access to high-value corporate cloud platforms.

The report further suggest that attackers breached ShareFile, Nextcloud and ownCloud environments used by organizations across multiple sectors. This includes aviation, defense, healthcare, utilities, mass transit, telecommunications, legal, real estate and government.

After parsing infostealer logs “specifically looking for corporate cloud URLs (ShareFile, Nextcloud),” the threat actor logs into the file-sharing services using a valid username and password where MFA is not active.

Hudson Rock says it pinpointed the likely breach points by correlating infostealer data from its platform with publicly available images, metadata, and open-source information.

In at least 15 of the analyzed cases, the report uncovered that employee credentials for the cloud file-sharing services had been collected by infostealers.

It is important to note that this verification is unilateral, and there’s no public confirmation of a security breach from the listed companies.

Zestix offered to sell stolen data volumes that range from tens of gigabytes to several terabytes, claiming to include aircraft maintenance manuals and fleet data, defense and engineering files, customer databases, health records, mass-transit schematics, utility LiDAR maps, ISP network configs, satellite project data, ERP source code, government contracts, and legal documents.

The researchers report that, in addition to the listed victims, their threat intelligence data indicates that cloud exposure is a broader, systemic problem stemming from organizations’ failure to follow good security practices.

They report having identified thousands of infected computers, including some at Deloitte, KPMG, Samsung, Honeywell, and Walmart.

Hudson Rock told Bleeping Computer, that it has notified ShareFile and will also alert Nextcloud and OwnCloud about the verified exposures so they can take the appropriate action.

Impact on Organizations from cloud exposure

Sensitive information, such as customer data, intellectual property or credentials, can be accessed or stolen and that is when organizations face data breach. Any Vulnerabilities or downtime period in cloud services can disrupt business operations. 

Organizations who have faced cloud exposure often faced customer trust issues as it is a matter of reputational damage that occurs to the brand. And we cannot deny that any kind of cloud exposures often pushes organizations towards non-compliance with regulations such as GDPR, HIPAA etc resulting in fines and legal repercussions. 

What should be avoided as good security practices and Threat Mitigation

Good security practice will develop into good habits, which in turn would make everyone careful while visiting websites and unknown attachments.

There is always loop hole and exploit kits can still install any malicious software even without any interaction with related device.

Lastly having high quality anti-malware software is a must. Using CSPM (Cloud Security Posture Management) tools to identify and remediate misconfigurations and compliance gaps across cloud environments. 

Sources: Cloud file-sharing sites targeted for corporate data theft attacks