Warlock, the emergent cyber crime gang that claims it is holding UK network and telecoms services provider Colt’s data to ransom, appears to have hit multiple other victims in the past few weeks, it has emerged.
This is according to data supplied through the open source RansomLook.io information service, which is currently tracking 475 ransomware gangs across hundreds of dark web forums, markets and other channels. Warlock has claimed a total of 22 new victims since since 16 August, according to the data.
Besides Colt, these include a number of other tech firms, including mobile operator Orange, which today (20 August) confirmed a cyber attack affecting its Belgian subsidiary and last month reported a major security incident in its home country, France.
In a statement, Orange said it had detected a cyber attack on its IT systems resulting in criminal access to data on 850,000 customers. It claimed no credentials, email addresses, or banking or financial details were compromised, but information including names, phone and SIM card numbers, tariff plan data and Personal Unlocking Key (PUK) codes were.
The compromise of PUK codes is a particularly urgent concern, as these eight-digit numbers are designed as a security measure to protect SIM cards from unauthorised use should the user accidentally lock their SIM.
“As soon as the incident was detected, our teams blocked access to the affected system and tightened our security measures. Orange Belgium also alerted the competent authorities and filed an official complaint with the judicial authorities,” a spokesperson said.
Colt curtailed
Colt, meanwhile, continues to reckon with the impact of Warlock’s attack as its investigation continues to unfold. The organisation today confirmed that it had determined some customer data had been stolen, and that establishing the precise nature of this data is its current priority.
Currently unavailable are the Colt Online customer portal, number hosting application programming interfaces (APIs), the Colt On Demand network-as-a-service portal, any ability to order or deliver new services, and several undisclosed customer-focused automated processes and systems.
“We would like to reassure you that this cyber incident is limited to our business support systems, which are strictly separated from our customer infrastructure, ensuring that authentication systems are not shared between the two environments,” said a Colt spokesperson. “We’re working around the clock to restore our systems. It’s too early to give an exact timeline at the moment, but we’ll provide regular updates to keep you informed.”
According to screenshots obtained by independent security analyst Kevin Beaumont, Warlock will leak Colt’s data within the next week if its attempt to sell the dataset fails.
SharePoint vulns behind Warlock’s rise
According to Microsoft’s security experts, Warlock has been exploiting two security bypass vulnerabilities in SharePoint Server – collectively known as ToolShell, which were discovered in July and swiftly patched at the time amid warnings that the resulting exploit chain was being used by Chinese state cyber spies.
According to data obtained by cyber security news outlet Recorded Future under the UK Freedom of Information Act (FoIA), the Information Commissioner’s Office (ICO) was aware of three instances of personal data breaches arising from exploitation of ToolShell as of 28 July. However, the use of ToolShell does not necessarily indicate the involvement of Warlock.
Meanwhile, Trend Micro researchers have revealed how the Warlock campaign exemplifies the speed with which threat actors can weaponise enterprise vulnerabilities for high-impact activities.
“Through the exploitation of the SharePoint vulnerabilities, attackers were able to bypass authentication, achieve remote code execution [RCE], and rapidly pivot across compromised networks,” said the Trend Micro team.
Trend Micro described a complex yet effective attack chain through which Warlock is using targeted HTTP POST requests to upload webshells to vulnerable SharePoint servers, then escalating their attacks through abuse of Group Policy, credential theft, and lateral movement with both legitimate Windows tools and custom-build malwares, ultimately leading to the execution of the ransomware locker, which encrypts files with the extension .x2anylock, while data is exfiltrated using RClone.
Its locker malware appears to be a custom derivative of the leaked LockBit 3.0 builder, Trend said, noting how that in a remarkably short period of time, Warlock had evolved into a rapidly growing global threat with its enthusiastic adoption of ToolShell setting the stage for future, more sophisticated campaigns.
“This end-to-end attack highlights the dangers of delayed patching and the importance of layered defence,” the team added.
