What happened
Threat actors are targeting cloud file-sharing platforms ShareFile, Nextcloud, and OwnCloud to steal sensitive corporate data. According to analysis from Hudson Rock, attackers obtain valid credentials using infostealer malware such as RedLine, Lumma, and Vidar, then use those credentials to access corporate cloud storage where MFA is not enforced. Stolen data includes government contracts, ERP source code, engineering documents, healthcare records, and defense-related files. The attackers act as initial access brokers, reselling compromised access to other threat actors.
Who is affected
Organizations using ShareFile, Nextcloud, or OwnCloud without enforced MFA and strong credential hygiene are at elevated risk.
Why CISOs should care
Credential-based cloud compromise can result in silent, large-scale data exfiltration without triggering perimeter defenses.
3 practical actions
1. Enforce MFA everywhere: Require multi-factor authentication for all cloud file-sharing platforms.
2. Monitor credential exposure: Track leaked credentials and force password rotation when exposure is detected.
3. Reduce infostealer risk: Strengthen phishing defenses and endpoint protection against credential-stealing malware.