Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Warlock Ransomware. Show all posts
Warlock Ransomware
Data Breach Gold Salem group Microsoft Storm-2603 new ransomware strain ransomware data leaks Sophos cybersecurity report Warlock Ransomware

Warlock Ransomware Emerges as Major Cyber Threat, Security Experts Warn

 

Cybersecurity researchers are sounding the alarm over a fast-growing ransomware operation called Warlock. According to a detailed report by Sophos, this group—also tracked as Gold Salem by Sophos and Storm-2603 by Microsoft—has quickly gained notoriety in the cybercrime world.

Sophos warns that Warlock “could be the most worrying new strain” in recent years. Since first being detected in March 2025, the group has breached more than 60 organizations. What makes the campaign particularly concerning is not just the number of victims but also the group’s sophistication. In just months, Warlock has successfully exploited SharePoint vulnerabilities using a custom ToolShell chain, leveraged legitimate tools like Velociraptor for covert tunneling, deployed Mimikatz for credential theft, and used PsExec/Impacket and GPOs to spread ransomware payloads.

The attackers have also acquired exploits and stolen access credentials from underground forums, despite having no prior public presence.

Attribution, however, remains uncertain. While Microsoft describes Warlock as a “China-based actor,” Sophos believes the evidence is inconclusive. What is clear is that the group has targeted diverse industries and countries worldwide—while deliberately avoiding Russian and Chinese organizations.

One exception stands out: a single Russian company has recently been listed on Warlock’s data leak site. Sophos suggests this points to the group operating outside Russia’s jurisdiction or sphere of influence. Out of more than 60 known victims, the group claims to have sold stolen data from 27 of them (around 45%) to private buyers. Interestingly, only 32% of cases involved public data leaks, which could imply that the remainder either paid ransoms or had their data traded discreetly.

Still, Sophos cautions that Warlock’s claims may be inflated or fabricated. As the report notes, ransomware operators often exaggerate their impact to appear more dangerous and enhance their credibility.
Read more »
Warlock Ransomware
Colt customer portal outage Colt Online down Colt Technology Services cyberattack Cyber Attacks Warlock Ransomware

Colt Technology Services Hit by Cyberattack Linked to WarLock Ransomware

 

UK-based telecom giant Colt Technology Services confirmed that a “cyber incident” is behind the prolonged outage of its customer portal and support platforms. The company said the issue first appeared during the week of Aug. 12, when it detected problems within one of its internal systems. Services such as Colt Online and its Voice API platform remain inaccessible. Colt emphasized that the compromised system “is separate from our customers’ infrastructure.”

The WarLock ransomware group has claimed responsibility, alleging it stole “1 million documents.” On its dark web leak site, the group claimed the trove includes employee salary data, customer contact details, “internal executive personal information” and emails. The attackers are reportedly offering the files for $200,000. A hacker under the alias “cnkjasdfgd” posted the same statement on a cybercrime forum, according to Bleeping Computer.

Colt confirmed it had proactively disabled some services to contain the breach. “Our technical team is focused on restoring the affected systems and is working closely with third-party cyber experts,” the company said in its Aug. 14 update.

While services remain disrupted, Colt noted it can still monitor customer networks and respond to incidents, though it currently relies on manual processes until automated monitoring tools are back online. The company operates more than 50 metro networks across 30 countries in Europe, Asia and North America.

Cybersecurity researcher Kevin Beaumont reviewed a leaked list of 400,000 files linked to the breach. “I've authenticated the filenames are real, e.g., they include customer documentation and performance reviews of Colt staff,” Beaumont wrote. He added that he suspects the attackers may have exploited flaws in on-premises Microsoft SharePoint instances, specifically a tool known as ToolShell. Microsoft had previously warned that a threat actor identified as Storm-2603 was leveraging the vulnerability to spread WarLock ransomware.

Beaumont pointed out that Colt had exposed sharehelp.colt.net to the internet, which could have been exploited.

In response to questions about WarLock and ToolShell, Colt provided a prepared statement: “Our dedicated incident response team, including external investigators and forensic experts, is working to investigate this incident. This investigation has continued, and will continue, 24/7. We continue to work closely with law enforcement agencies as part of our investigation.”
Read more »
Warlock Ransomware
Cyber Fraud Data Leak Orange Belgium SIM Swapping Warlock Ransomware

Orange Belgium Data Breach Exposes 850K Users to SIM-Swapping Risks

 

Orange Belgium has suffered a major data breach in which an attacker accessed the personal information of approximately 850,000 customers, with SIM card numbers and Personal Unblocking Key (PUK) codes among the most sensitive details exposed.

The breach, disclosed in a press release dated August 20, 2025, immediately raised concerns about the increased risk of SIM swapping—a fraud technique in which criminals gain control of a victim’s phone number by transferring it to a SIM card under their control. This enables them to intercept calls and messages, including those containing one-time passcodes for multi-factor authentication, potentially bypassing account security measures. 

The compromised data included customer first and last names, phone numbers, SIM card numbers, PUK codes, and tariff plan details. The company stressed that no passwords, email addresses, or banking and financial information were accessed. 

Upon detecting the intrusion in late July, Orange Belgium claims it promptly blocked access to the affected system, tightened security, and notified law enforcement. Affected customers are being contacted directly with advice to remain vigilant against suspicious communications. 

Notably, the incident coincides with a separate cyberattack against Orange’s French operations, although the company has not confirmed any link between the two events. The French incident reportedly did not result in unauthorized access to customer or corporate data.

In response to the breach, Orange Belgium introduced additional verification steps to prevent fraudulent SIM swaps, such as requiring customers to answer extra security questions when requesting SIM replacements. The answers to these questions were not compromised in the attack, according to the company. 

However, white hat hacker Inti De Ceukelaire criticized this approach, arguing that these measures are unlikely to fully prevent SIM swapping, especially if attackers attempt to port numbers to other providers. He also noted that Orange Belgium has not provided guidance or support for changing PUK or SIM numbers—information that is typically considered highly sensitive by other telecom providers. 

De Ceukelaire further criticized Orange’s initial communications for minimizing the seriousness of the breach, particularly in labeling the exposed PUK and SIM card numbers as “not critical.” He argued that this classification downplays the real-world risk to affected customers and accused Orange of misleading communications and shifting responsibility to users.

The attack on Orange Belgium has been claimed by the Warlock ransomware group, which reportedly posted samples of the stolen data online and is offering the full dataset for sale. Warlock has been linked to a recent wave of attacks exploiting vulnerabilities in Microsoft SharePoint, specifically the ‘ToolShell’ exploit chain, which came to light in July 2025.

The same group has previously targeted UK telecoms provider Colt Technology Services, leveraging one of the SharePoint-related vulnerabilities. By contrast, the French Orange incident was attributed to a different group, Babuk2, suggesting the attacks are not connected. 

The breach highlights ongoing vulnerabilities in telecom security—particularly the potential for SIM swapping to undermine multi-factor authentication—and underscores the importance of robust data protection and transparent incident communication. While Orange Belgium has taken some steps to mitigate the immediate risks, critics argue that more comprehensive safeguards and clearer customer guidance are needed to adequately protect users from sophisticated attacks.
Read more »
Subscribe to: Posts (Atom)