If you don’t say “yes way” to MFA, the consequences can be disastrous. Sensitive data belonging to about 50 global enterprises is listed for sale – and, in some cases, has already been sold – on the dark web following a major infostealer campaign, with apparent victims including American utility engineering firm Pickett and Associates; Japan’s homebuilding giant Sekisui House; and Spain’s largest airline Iberia.
The thief, who goes by the moniker Zestix or Sentap, steals data from corporate file-sharing portals by using compromised cloud credentials obtained from information-stealing malware. And none of the purported victims enforced multi-factor authentication (MFA), according to Hudson Rock, an Israeli cybersecurity company that specializes in infostealers.
Stolen credentials combined with a lack of MFA are always a recipe for disaster, as we have seen in earlier big breaches such as Change Healthcare, British Library, and Snowflake customers’ database hacks.
“Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door,” the cybersecurity shop said in a Monday report. “No exploits, no cookies – just a password.”
We’re told Zestix gains access after employees inadvertently download infostealer-laden files to their devices. The stealer malware, such as RedLine, Lumma, or Vidar, then snarfs up saved credentials and browser history.
The cybercriminal, who has been operating as an initial access broker and extortionist since at least 2021, specifically targets enterprise file synchronization and sharing (EFSS) platforms like Progress Software’s ShareFile, Nextcloud, and OwnCloud.
[…]
Credential hygiene
The report illustrates the growing problem with infostealers, a favorite method of ransomware gangs and other financially motivated criminals.
It also highlights the growing trend of criminals simply logging in – not breaking in – to cloud accounts, which security experts have been warning about for the past couple of years.
Plus, as Hudson Rock reports, “while some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them.” This, the team adds, shows a “pervasive failure” in corporate credential hygiene with organizations neglecting to rotate passwords and invalidate sessions.
“It is time for organizations to enforce MFA and monitor their employees’ compromised credentials,” the security firm notes. We couldn’t agree more. ®
Source: One criminal stole info from 50 orgs thanks to no MFA • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft