Colt Telecom Hit by WarLock Ransomware: SharePoint Zero Day Used for Mass Data Theft

 What Happened

On August 12, 2025, Colt Technology Services—a UK-based telecom giant—experienced a cyberattack that disrupted several internal support services, impacting systems like Colt Online, porting, and Voice API platforms, while core network services remained unaffected.

Who Claimed Responsibility

A threat actor using the handle "cnkjasdfgd," claiming to represent the WarLock ransomware group, offered 1 million stolen documents for US$200,000, providing sample files to prove their legitimacy.

Made Possible By

The attackers exploited a critical zero-day vulnerability in on-premises Microsoft SharePoint (CVE‑2025‑53770), which was publicly patched on July 21, 2025.

Technical Breakdown (“ToolShell” Exploit Chain)

Attackers used a sophisticated exploit chain now dubbed ToolShell, involving multiple steps:

1. Initial Access – Bypassing Authentication

A crafted HTTP POST to the /_layouts/15/ToolPane.aspx endpoint with a spoofed Referer header (/_layouts/SignOut.aspx) bypassed SharePoint’s authentication.

2. Uploading a Web Shell

A malicious ASPX file (spinstall0.aspx) was dropped into the SharePoint layouts directory.

3. Extracting MachineKeys
The web shell extracted the server’s ValidationKey and DecryptionKey, enabling attackers to generate legitimate ViewState payloads and maintain persistent, authenticated access.

4.Persistence and Evasion
Because attackers had the MachineKeys, they could continue forging payloads and re-enter even after cleanup or patching.

5. Ransomware Deployment
Intelligence links Storm‑2603, a Chinese-linked threat group, to deploying WarLock ransomware via this exploit chain

Indicators of Compromise (IOCs)

 

 

Analysis & Key Points

  • Rapid Exploitation: Attackers began exploiting the SharePoint zero-day as early as July 18, with widespread abuse following soon after.
  • Wide Impact: Reports suggest 75–85 servers across massively varied sectors—including government, healthcare, telecom, and energy—were affected, with thousands more at risk. 
  • High Severity: With a CVSS score of 9.8, this RCE represents a high-impact vulnerability capable of unauthenticated remote code execution. 
  • IOCs and Detection: Detecting the spinstall0.aspx file, relevant POST patterns, or outbound connections from compromised IPs are crucial detection methods. Defender AMSI integration and file scanning can help stop payloads. 

Threat Group Behavior: Storm‑2603 transitioned from stealthy exploitation to ransomware deployment using the compromised infrastructure, highlighting the shift from espionage to extortion.

Essential Takeaways

  • Quick detection: Watch for spinstall0.aspx, unusual POST requests to ToolPane.aspx, or outbound traffic to known malicious IP addresses.
  • Immediate steps: Install Microsoft’s July security updates (KB5002768, KB5002754, KB5002760), enable AMSI integration and Defender Antivirus, rotate ASP.NET MachineKeys, and isolate compromised servers.
  • Broader lesson: Unpatched systems are highly vulnerable. SharePoint servers, often unwittingly exposed, make compelling targets when high-severity flaws like this go unpatched.

Comments

Post a Comment

Popular posts from this blog

OSINT Tool in Termux

Image
The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile The information includes: [ profile ] : user id, followers / following, number of uploads, profile img URL, business enum, external URL, joined Recently, etc [ tags & mentions ] : most used hashtags and mentioned accounts [ email ] : if any email is used any where it'll be displayed [ posts ] : accessability caption, location, timestamp, caption, picture url, etc ( yet not working correctly with posts instagram marks as 'sensitive cotent' ) How To Install apt update && upgrade -y Pkg install git pkg install python3 git clone https://github.com/th3unkn0n/osi.ig.git && cd osi.ig python3 -m pip install -r requirements.txt Usage python3 main.py -u username
Read more

Active Directory Ransomware Attacks

Image
    Organizations worldwide use Active Directory (AD) as their primary identity service , which makes it a top target for ransomware attacks . This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace. The two phases of a ransomware attack A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device , and within minutes data across the network is encrypted and a ransom demand is displayed on every screen . The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical . To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout , attackers proceed in two phases: Find an entry point — The first step is to gain a foothold in the victim organization ’s network . One common strategy is to comp...
Read more

How to perform a Man-in-the-middle (MITM) attack with Kali Linux

Image
Learn how to perform a Man in the middle attack with arpspoof, driftnet and urlsnarf in Kali Linux In this article, you will learn how to perform a MITM attack to a device that's connected in the same Wi-Fi networks as yours. Requirements This article assumes that you know what is a network interface and you know to how to work with Kali Linux and the command line. Before starting, you will need to know the name of the Network interface (installed on your machine) and the IP of the router that provides Wi-Fi access. The Network Interface Name can be easily obtained as running the ifconfig command on a terminal, then from the list copy the name of the interface that you want to use. The IP of the router can be obtained executing ip route show on a terminal and a message like "default via [This is the router IP]". From the victim, you will only need the IP (the user needs to be connected to the network provided by the router). The process of obtaining the device IP of the v...
Read more