Wednesday, January 7, 2026
Latest:

Threatshub.org sponsored-Post

The Register

One criminal, 50 hacked organizations, and all because MFA wasn’t turned on

TH Author

If you don’t say “yes way” to MFA, the consequences can be disastrous. Sensitive data belonging to about 50 global enterprises is listed for sale – and, in some cases, has already been sold – on the dark web following a major infostealer campaign, with apparent victims including American utility engineering firm Pickett and Associates; Japan’s homebuilding giant Sekisui House; and Spain’s largest airline Iberia.

The thief, who goes by the moniker Zestix or Sentap, steals data from corporate file-sharing portals by using compromised cloud credentials obtained from information-stealing malware. And none of the purported victims enforced multi-factor authentication (MFA), according to Hudson Rock, an Israeli cybersecurity company that specializes in infostealers.

Stolen credentials combined with a lack of MFA are always a recipe for disaster, as we have seen in earlier big breaches such as Change Healthcare, British Library, and Snowflake customers’ database hacks.

“Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door,” the cybersecurity shop said in a Monday report. “No exploits, no cookies – just a password.”

We’re told Zestix gains access after employees inadvertently download infostealer-laden files to their devices. The stealer malware, such as RedLine, Lumma, or Vidar, then snarfs up saved credentials and browser history. 

The cybercriminal, who has been operating as an initial access broker and extortionist since at least 2021, specifically targets enterprise file synchronization and sharing (EFSS) platforms like Progress Software’s ShareFile, Nextcloud, and OwnCloud.

The Register reached out to all of the apparent victim companies listed in this story, plus the file-sharing software providers. As of press time, only one of them, Progress, had responded to our inquiries. 

“Hudson Rock’s investigation found that these recent compromises of corporate file-sharing portals – including ShareFile instances – were not the result of platform vulnerabilities, but consistent with the use of credentials previously stolen from infostealer-infected devices,” a Progress spokesperson told us, adding that the compromises “appear to have involved the use of valid credentials in environments where multi-factor authentication was not enforced, which may have enabled unauthorized access.”

The spokesperson added, “Progress continues to emphasize the importance of implementing multi-factor authentication as a widely recognized control to help mitigate the risk of credential-based attacks.”

We will update this story if and when we receive any additional responses.

Meet the alleged victims

Most of the organizations listed in the Monday report have very sensitive data and span critical sectors such as utilities, aviation, robotics, housing, and government infrastructure, making this massive data dump particularly concerning.

The Register last week reported that Pickett and Associates, a Florida-based engineering firm whose clients include major US utilities, was among the apparent victims after the data thief posted for sale 139 GB of engineering data about Tampa Electric Company, Duke Energy Florida, and American Electric Power. Zestix was selling this trove for 6.5 bitcoin, which amounts to about $585,000.

At the time, Pickett declined to comment, while a Duke Energy spokesperson told The Register that the company is investigating the criminal’s claims.

Hudson Rock reports that Zestix obtained the engineering data by abusing stolen ShareFile credentials.

Turkey’s Intecro Robotics, which manufactures aerospace testing equipment and defense robotics, was also reportedly victimized via ShareFile sans MFA. This 11.5 GB dataset reportedly contains critical military intellectual property.

Brazil’s Maida Health is yet another of the 50-ish alleged victims, and the 2.3 TB dataset accessed via a Nextcloud instance reportedly contains the health records and sensitive personal information belonging to the Brazilian Military Police and their family members.

Burris & Macomber, a law firm that represents Mercedes-Benz USA in its lemon law cases and warranty litigation, was also an apparent victim, with the criminal claiming to have stolen active lemon law cases, defense strategies, and settlement policies from 48 states, along with thousands of customers’ records containing VINs, license plates, home addresses, and phone numbers.

The Iberia Airlines breach reportedly contains 77 GB of technical safety data and confidential fleet information.

Pwned engineering servers belonging to CRRC MA – the Massachusetts subsidiary of the world’s largest rolling stock manufacturer – reportedly contained complete signaling drawings, SCADA RTU lists, and “deliberately withheld” test reports regarding doors, HVAC, and propulsion systems, along with sensitive security info such as GPS coordinates of control rooms and battery rooms.

And the list of reported victims goes on … and on, and on.

Credential hygiene

The report illustrates the growing problem with infostealers, a favorite method of ransomware gangs and other financially motivated criminals. 

It also highlights the growing trend of criminals simply logging in – not breaking in – to cloud accounts, which security experts have been warning about for the past couple of years.

Plus, as Hudson Rock reports, “while some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them.” This, the team adds, shows a “pervasive failure” in corporate credential hygiene with organizations neglecting to rotate passwords and invalidate sessions.

“It is time for organizations to enforce MFA and monitor their employees’ compromised credentials,” the security firm notes. We couldn’t agree more. ®

READ MORE HERE