Cloud File-Sharing Platforms Under Attack: How Always-On VPN Simplifies Security
Executive Summary
A sophisticated threat actor known as "Zestix" has successfully breached approximately 50 major global enterprises by exploiting a surprisingly simple vulnerability: the absence of multi-factor authentication (MFA) on cloud file-sharing platforms. The attacks have affected organizations across critical sectors including aviation, healthcare, utilities, defense, and government infrastructure, resulting in the theft of terabytes of sensitive corporate data.
Key Finding: Not a single victim organization had enforced MFA on their cloud file-sharing systems.
The Attack Campaign
What Happened
A threat actor known as "Zestix" breached approximately 50 major enterprises by exploiting stolen credentials to access cloud file-sharing platforms (ShareFile, Nextcloud, OwnCloud). The attacks affected aviation, healthcare, utilities, defense, and government infrastructure organizations.
The shocking finding: Not a single victim had enforced multi-factor authentication (MFA).
How the Attacks Work
The Simple but Devastating Process:
- Employees download files infected with infostealer malware (RedLine, Lumma, Vidar)
- Malware harvests all saved credentials from the infected device
- Credentials stored in criminal databases (some for years before use)
- Attackers search databases for corporate cloud platform access
- Using valid username and password, they simply log in—no exploits needed
"Because the organizations did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password." - Hudson Rock Security Research
What Was Stolen
- 139.1 GB from engineering firms (classified infrastructure maps)
- 111,000+ patient files from healthcare (massive HIPAA violations)
- Legal documents including court filings and bank statements
- Corporate secrets including payroll, blueprints, and business plans
Industries affected: Aviation (Iberia Airlines), Robotics, Healthcare, Legal Services, Engineering, Government Infrastructure.
Why These Attacks Succeed
"These companies were not hacked by a quantum computer cracking encryption – they were hacked because an employee infected their device with an Infostealer, and the organization failed to turn on Two-Factor Authentication." - Hudson Rock
The Core Vulnerabilities
- No MFA Enforcement - Single authentication factor (password only)
- Poor Credential Hygiene - Passwords not rotated, compromised credentials active for years
- Public-Facing Infrastructure - Cloud platforms accessible from the internet with no network-level protection
- Multiple Cloud Providers - Organizations using 3-5+ different cloud services, each creating a separate attack surface with inconsistent security policies
- Lack of Monitoring - Organizations unaware their credentials were compromised and sitting in criminal databases
The multi-cloud problem: Each additional cloud provider multiplies your vulnerability. More credentials to compromise = more opportunities for attackers.
The Dataforge Canada Difference
Always-On VPN Architecture: Superior Protection
While the breached companies relied on publicly accessible cloud platforms with password-only authentication, Dataforge Canada's secure customers benefit from a fundamentally different architecture that eliminates this entire attack vector.
How Always-On VPN Protects You
1. Invisible Security Barrier
- VPN operates transparently to end users
- No user intervention required
- Always protecting, never intrusive
- Seamless integration with daily workflows
2. Private Infrastructure
- Files stored on on-premises systems or private datacenters
- NOT on public cloud platforms like ShareFile or Nextcloud
- Systems hosting your data are not internet-accessible
- No public-facing attack surface to exploit
3. Network-Level Protection
- VPN creates encrypted tunnel before any access
- Even with valid credentials, attackers can't reach systems
- Multi-layered security beyond just authentication
- Network segmentation isolates critical resources
4. Stolen Credentials Are Useless
- If employee credentials are compromised by infostealer malware
- Attacker still cannot access file systems
- VPN connection required first – attackers don't have this
- Username and password alone provide zero access
The Multi-Cloud Problem
Many organizations compound their risk by using multiple cloud file-sharing providers simultaneously:
- ShareFile for some departments
- Dropbox for others
- OneDrive for corporate documents
- Google Drive for collaboration
- Box for client-facing files
- Nextcloud or OwnCloud for specific projects
This creates an exponentially larger attack surface:
- Multiple sets of credentials to protect
- Multiple platforms to secure and monitor
- Multiple MFA systems to manage
- Multiple potential breach points
- Inconsistent security policies across platforms
- Shadow IT with unknown cloud services
The reality of MFA with multiple cloud providers: Users are typically just sent an invite to each platform. Nobody wants to deal with MFA on 3+ different providers—especially when some only offer annoying OTP codes that require fumbling with your phone every time you access a file. This is why MFA often doesn't get enabled in the first place. IT teams know users will rebel against constant authentication prompts across multiple platforms, so security takes a back seat to usability.
Each additional cloud provider multiplies your vulnerability. If even one platform lacks proper protection, attackers gain a foothold.
The Critical Distinction
| Public Cloud Platforms | Dataforge Always-On VPN |
|---|---|
| Internet-accessible by design | Private, isolated infrastructure |
| Direct credential-based access | VPN tunnel required first |
| Single point of failure (credentials) | Layered security architecture |
| Publicly exposed attack surface | No external exposure |
| Stolen password = full access | Stolen password = no access |
| Multiple cloud providers = multiple attack surfaces | One VPN to guard = single security perimeter |
| 3+ MFA systems = user frustration and non-compliance | One authentication point = practical security users will actually use |
Single Point of Control
With Dataforge's always-on VPN architecture, you have ONE system to guard: the VPN itself.
No matter how many file servers, databases, or applications your business runs:
- One authentication point - Users authenticate once to the VPN, then seamlessly access all company resources
- No MFA fatigue - One modern MFA system instead of juggling 3+ different platforms with inconsistent methods
- No external attack surface - Systems aren't exposed to the internet, so stolen credentials can't reach them anyway
- One security policy to maintain and enforce
- One authentication system to monitor
- One perimeter to defend
- Centralized logging and auditing
- Consistent security posture across all resources
The practical difference is enormous: Instead of users dealing with multiple logins, multiple MFA prompts, and multiple annoying OTP codes throughout their workday, they authenticate once through the always-on VPN and everything just works—while remaining completely protected from external threats.
This is fundamentally more secure and manageable than juggling multiple cloud providers, each with their own credentials, security settings, and potential vulnerabilities.
Recommendations for Businesses
If Using Public Cloud Platforms
Immediate actions: Enforce MFA on all cloud services, rotate passwords, monitor access logs, implement endpoint protection against infostealer malware.
But even MFA isn't enough. Public cloud platforms remain vulnerable to sophisticated phishing, session hijacking, and MFA bypass techniques.
The Better Solution: Architecture-Level Protection
Consider moving to private infrastructure with always-on VPN solutions that eliminate public cloud exposure entirely and create a single, manageable security perimeter.
Why Dataforge's Approach Matters
The Fundamental Problem
The Zestix campaign demonstrates that relying solely on credential-based security for internet-accessible systems is inadequate. Even with MFA, publicly exposed platforms remain vulnerable to:
- Sophisticated phishing attacks
- Session hijacking
- MFA bypass techniques
- Social engineering
The problem multiplies when organizations use multiple cloud providers. Many businesses have:
- 3-5 different cloud file-sharing services
- 10+ cloud applications across departments
- Shadow IT with unknown cloud usage
- Each service requiring separate credentials
- Each platform presenting a potential breach point
The Architectural Solution
Dataforge's always-on VPN approach eliminates the attack surface entirely:
✅ No public exposure – Your file systems aren't on the internet
✅ Layered security – VPN + credentials + network controls
✅ Transparent protection – Users work normally while staying secure
✅ Single security perimeter – One VPN to guard, not dozens of cloud services
✅ Centralized control – Unified security policy across all resources
✅ Proven reliability – 30 years of managed IT experience
✅ Local expertise – Serving Burlington, Hamilton, and the GTA
The Power of Simplification
With multiple cloud providers: You're defending dozens of doors, each with different locks, different keys, and different vulnerabilities. Your users are logging into 3+ platforms throughout the day, dealing with different MFA systems (some with annoying OTP codes), and inevitably taking shortcuts that compromise security.
With Dataforge's always-on VPN: You're defending one gate with one strong authentication system that users actually tolerate. Everything behind that gate is protected, regardless of how many systems or applications you run. Even if employee credentials are stolen by malware, attackers can't reach your systems because there's no external attack surface to exploit.
Protecting Your Business
The Zestix breach campaign affecting 50+ global companies proves that traditional cloud file-sharing platforms with password-only (or even MFA-only) authentication are insufficient for protecting sensitive business data.
Your data deserves better protection.
Dataforge Canada's always-on VPN solution provides the architectural security that keeps your files safe from credential-based attacks – even when employee credentials are compromised.
Contact Dataforge Canada
Dataforge Canada
6-783 King Road
Burlington, Ontario
Services:
- Managed IT Services
- Always-On VPN Solutions
- On-Premises and Datacenter File Storage
- Industry-Specific Platform Support
- 30 Years Serving the GTA
Don't wait for a breach to rethink your file-sharing security. Contact Dataforge Canada today for a consultation on protecting your business with always-on VPN architecture.
References
-
Hudson Rock Security Research, "Dozens of Global Companies Hacked via Cloud Credentials," January 2025
https://www.infostealers.com/article/dozens-of-global-companies-hacked-via-cloud-credentials-from-infostealer-infections-more-at-risk/ -
BleepingComputer, "Cloud file-sharing sites targeted for corporate data theft attacks," January 2025
https://www.bleepingcomputer.com/news/security/cloud-file-sharing-sites-targeted-for-corporate-data-theft-attacks/ -
SC Media, "Zestix hackers sell data stolen from ShareFile, Nextcloud," January 2025
https://www.scworld.com/brief/zestix-hackers-sell-data-stolen-from-sharefile-nextcloud -
Dark Reading, "Lack of MFA Is Common Thread in Vast Cloud Credential Heist," January 2025
https://www.darkreading.com/cloud-security/lack-mfa-common-thread-vast-cloud-credential-heist -
SecurityWeek, "Dozens of Major Data Breaches Linked to Single Threat Actor," January 2025
https://www.securityweek.com/dozens-of-major-data-breaches-linked-to-single-threat-actor/ -
Cybernews, "Fifty companies breached through cloud storage," January 2025
https://cybernews.com/security/fifty-firms-breached-using-stolen-cloud-storage-passwords/ -
The Register, "One criminal stole info from 50 orgs thanks to no MFA," January 2025
https://www.theregister.com/2026/01/06/50_global_orgs_hacked
This brief prepared by Dataforge Canada | January 2026