Fraud Management & Cybercrime
,
Ransomware
Support Portals Offline as Ransomware Gang Claims It Stolen Data
British-based multinational telecom Colt Technology Services said a “cyber incident” is responsible for days-long disruptions to its customer portal and support services.
Colt said the incident began earlier in the week of Aug. 12, when it detected an issue affecting an internal system. Some support services, including Colt Online and the Voice API platform, remain unavailable. The company said the affected system “is separate from our customers’ infrastructure.”
The WarLock ransomware operation took responsibility for the hack, asserting it stole “1 million documents.” On its dark web leak site, it asserted the files contain data including employee salary figures, customer contact data, “internal executive personal information” and emails. It offered the data for $200,000. A hacker using the handle “cnkjasdfgd” claiming to be a member of the ransomware gang posted the same missive on a criminal forum, reported Bleeping Computer.
Colt said it proactively shut down some services. “Our technical team is focused on restoring the affected systems and is working closely with third-party cyber experts,” the company said in an Aug. 14 update.
The privately-held company said it retains the ability to monitor customer networks and manage incidents but must rely on manual processes until its automated monitoring tools are fully restored. Colt operates more than 50 metropolitan area networks in 30 countries spanning Europe, Asia, and North America.
Noted cybersecurity expert Kevin Beaumont said he examined a posted list of 400,000 files apparently stolen by hackers. “I’ve authenticated the filenames are real, eg they include customer documentation and performance reviews of Colt staff,” he wrote.
Beaumont also wrote he suspects hackers exploited flaws in on-premise instances of Microsoft Sharepoint known as ToolShell. Microsoft’s own security research group warned in July that a threat actor it tracks as Storm-2603 was exploiting the vulnerability to infect targets with WarLock ransomware (see: SharePoint Zero-Days Exploited to Unleash Warlock Ransomware).
One reason to suspect ToolShell, Beaumont said, is that Colt exposed sharehelp.colt.net to the internet.
