Brief #138: 41% Hired AI Deepfake Candidates, Zestix Breaches 50+ Enterprises, CrowdStrike $740M Deal

Happy Sunday!

In this week's brief:

Zestix threat actors compromised 50+ major enterprises using stolen credentials from old infostealer infections, highlighting how basic MFA gaps continue to enable massive breaches
AI-generated code contains 1.7x more security vulnerabilities than human-written code, particularly struggling with error handling and password security implementations
41% of large enterprises accidentally hired fake candidates created with AI deepfakes, with nearly all organizations experiencing some form of AI impersonation attempts

A quick note before we dive in.

Industry News

Threat actor Zestix (alias Sentap) has compromised approximately 50 major global enterprises by exploiting credentials harvested from infostealer malware infections on employee devices, targeting ShareFile, OwnCloud, and Nextcloud platforms across aviation, defense, healthcare, and government sectors.
The breaches occurred due to organizations failing to enforce Multi-Factor Authentication (MFA), allowing attackers to access corporate file-sharing portals using valid username and password combinations extracted from years-old infostealer logs without requiring sophisticated exploits or session hijacking techniques.
Notable victims include Iberia Airlines (77GB of aircraft maintenance data), Intecro Robotics (11.5GB of ITAR-controlled defense blueprints), Maida Health (2.3TB of Brazilian Military Police medical records), and Pickett & Associates (139GB of critical utility infrastructure LiDAR files).

The CVE-2026-21877 vulnerability affects both self-hosted and cloud versions of the n8n workflow automation platform, allowing authenticated users to execute untrusted code and potentially achieve full system compromise.
Impacted versions include n8n >= 0.123.0 and < 1.121.3, with the fix available in version 1.121.3 released in November 2025, discovered by security researcher Théo Lelasseux.
Administrators can mitigate the risk by disabling the Git node and restricting access for untrusted users if immediate patching to version 1.121.3 or later is not feasible.

Cloudflare investigated a BGP route leak by Venezuelan ISP CANTV (AS8048) on January 2nd, finding it was likely caused by insufficient routing export policies rather than malicious intent, with the leaked routes being heavily prepended making them less attractive for traffic routing.
Analysis revealed CANTV has experienced eleven route leak events since December, all following the same pattern of redistributing customer routes to providers, indicating systemic configuration issues rather than targeted attacks despite speculation about government surveillance capabilities.
The incident highlights the need for better BGP security mechanisms like ASPA (Autonomous System Provider Authorization) and RFC9234 implementation, as traditional RPKI Route Origin Validation would not have prevented this path-based anomaly affecting Venezuelan telecom prefixes.

Member-Only Content

Get instant access to this article and the Mandos Brief - your weekly 10-minute security leadership update.

Already a member? Sign in