Overview

• Trend Micro reports that Warlock affiliates are abusing SharePoint authentication and deserialization flaws to gain remote code execution, escalate privileges, move laterally and deploy ransomware at scale.
• Researchers describe a repeatable chain that includes targeted HTTP POST webshell uploads, Group Policy abuse, credential theft, RClone exfiltration and a LockBit 3.0–derived locker that leaves the .x2anylock extension.
• Open‑source tracking on RansomLook.io records 22 new Warlock victim claims since 16 August, with listings that include Orange, though public claims do not always equate to verified breaches.
• Orange Belgium confirms criminal access to data on 850,000 customers including names, phone and SIM numbers, tariff data and PUK codes, and says it blocked access and alerted authorities.
• Colt says some customer data was stolen and multiple customer portals remain unavailable during its investigation, as Microsoft previously linked SharePoint‑based Warlock distribution to actor Storm‑2603 and urged immediate patching.