Particle.news
Download on the App Store
5 ARTICLES
·
5h ago

Colt Confirms Data Theft as Warlock Auctions Data From SharePoint Hacks

Researchers link the spree to SharePoint ToolShell flaws enabling webshell uploads, rapid lateral movement, exfiltration, then a LockBit‑derived locker.

Image
Image

Overview

  • Colt says some data was taken in last week’s cyberattack, its key customer platforms remain degraded, and Warlock is running a private auction that closes August 27 with no sample leaks posted so far.
  • Colt set up a dedicated line for customers to request the list of filenames Warlock claims to hold, while its investigation with external forensics and law enforcement continues.
  • Open-source tracker RansomLook.io counts 22 new Warlock victim claims since August 16, with targets spanning multiple sectors and regions, including mobile operator Orange.
  • Orange Belgium reports unauthorized access to data on 850,000 customers, including names, phone and SIM numbers, tariff details and SIM PUK codes, and says it blocked access and alerted authorities.
  • Trend Micro details a ToolShell-driven attack chain with webshell uploads, new GPOs and an elevated guest account for persistence, stealthy C2, lateral movement, RClone exfiltration, and a ransomware locker derived from leaked LockBit 3.0 code; Microsoft says ToolShell was patched in July and was abused by actor Storm-2603 to distribute Warlock, prompting urgent patching guidance.