Zestix Exploited Infostealer Logs to Breach Global Firms

A global cybercrime campaign led by the threat actor “Zestix” (also known as “Sentap”) has compromised over 50 multinational companies by exploiting stolen cloud credentials harvested through infostealer malware. The attackers did not use sophisticated exploits; instead, they logged directly into corporate ShareFile, OwnCloud, and Nextcloud systems using valid credentials stolen from infected employee endpoints. This campaign highlights a systemic weakness across industries – the failure to enforce Multi-Factor Authentication (MFA) and to detect credential exposure from Infostealer infections.

Severity: High

Threat Actor: “Zestix” / “Sentap”

• Aliases: Zestix (primary), Sentap (secondary)
• Type: Initial Access Broker (IAB)
• Motivation: Financial gain through selling stolen access on dark web forums (notably Exploit[.]in).
• Origin Attribution: Linked by DarkSignal to an Iranian national operating in Russian-language forums with ties to the Funksec cybercrime group.
• Activity Period: Late 2024 – 2026.

Attack Details

• Infection Phase: Employees unknowingly installed malware (via phishing or cracked software).
• Data Theft: Infostealers harvested saved browser passwords and session cookies.
• Credential Reuse: Stolen credentials were sold or traded in underground markets.
• Access Phase: Zestix used valid usernames/passwords to log into enterprise cloud systems lacking MFA.
• Data Auction: Data and access rights were sold on criminal forums for Bitcoin.
• Persistence: Many compromised credentials were years old but remained valid – showing poor rotation and session management.

Scope Of Compromise

Over 50 organizations across aviation, defense, healthcare, energy, construction, real estate, and legal sectors were breached.
The total exposed data volume exceeds 5 terabytes.

Victim Examples (Selected)

• Pickett & Associates (US): 139 GB of LiDAR and substation mapping data.
• Intecro Robotics (Turkey): ITAR-controlled UAV engineering files (TF-X fighter jet).
• Maida Health (Brazil): 2.3 TB of Brazilian Military Police medical records.
• Iberia Airlines (Spain): Aircraft maintenance and airworthiness documentation.
• CRRC MA (US): Train control system blueprints and SCADA data.

Each breach originated from compromised employee credentials stored in infostealer logs, not system exploits.

Root Cause

The primary failure was credential hygiene – reuse, lack of rotation, and no MFA enforcement.
Even modern EDR and SIEM tools failed to detect the threat since infections occurred on personal or contractor devices used to access corporate systems (“third-space devices”).

Global Exposure

Hudson Rock’s analysis shows thousands of companies, including Deloitte, Samsung, Honeywell, Walmart, and the CDC, have exposed credentials circulating in infostealer logs, indicating potential future compromises.

Recommendations

1. Enforce Multi-Factor Authentication (MFA) on all cloud and SaaS applications (ShareFile, OwnCloud, Nextcloud, O365, etc.).
2. Implement Conditional Access Policies to restrict logins by device compliance, IP reputation, or geolocation.
3. Mandate Password Hygiene: rotate all credentials every 90 days, disable cached or inactive accounts, prevent password reuse through technical policy enforcement, and disable password saving and enforce enterprise password managers.
4. Block personal/unmanaged endpoints from accessing corporate SaaS applications via Conditional Access or device certificates.
5. Educate employees on phishing, fake software downloads, and Infostealer lures. Demonstrate real-world examples of credential theft impacts.

Source:

• https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.