Colt Telecom Hit by WarLock Ransomware: SharePoint Zero Day Used for Mass Data Theft
What Happened On August 12, 2025 , Colt Technology Services—a UK-based telecom giant—experienced a cyberattack that disrupted several internal support services, impacting systems like Colt Online, porting, and Voice API platforms, while core network services remained unaffected. Who Claimed Responsibility A threat actor using the handle "cnkjasdfgd," claiming to represent the WarLock ransomware group , offered 1 million stolen documents for US$200,000 , providing sample files to prove their legitimacy. Made Possible By The attackers exploited a critical zero-day vulnerability in on-premises Microsoft SharePoint (CVE‑2025‑53770), which was publicly patched on July 21, 2025. Technical Breakdown (“ToolShell” Exploit Chain) Attackers used a sophisticated exploit chain now dubbed ToolShell , involving multiple steps: 1. Initial Access – Bypassing Authentication A crafted HTTP POST to the /_layouts/15/ToolPane.aspx endpoint with a spoofed Referer header (/_layo...