- Colt has updated its status page to confirm data exfiltration
- It is currently looking into the type of information stolen
- Warlock is selling the archives for $200,00
Colt Technology Services has confirmed sensitive customer data was stolen in a recent cyberattack, and is now being sold online.
Customers of the UK telco firm recently complained after not being able to access some of its services, and soon after, the company said it was being forced to shut down parts of its infrastructure due to an ongoing attack.
At the time, the company did not discuss the identity of the attackers, or if they stole any files, but now a ransomware group known as Warlock has claimed to be behind the attack, and has already started selling a database with a million files on the dark web, for $200,000.
Attacking SharePoint servers
Now, Colt seems to have confirmed these reports, at least in part.
“Through our extensive investigation, we have determined that some data has been taken,” an updated announcement says. “Our priority is to determine at pace the precise nature of the data that is impacted and notify any affected parties.”
Warlock claims the archives contain financial information, network architecture data, and customer information. If these claims turn out to be true, the archive is a true treasure trove for criminals who can use it for phishing, identity theft, and even wire fraud.
Colt’s customers are reportedly able to request a list of filenames posted on the dark web from the dedicated call center.
Warlock is a Chinese group deploying LockBit’s Windows, and Babuk’s VMware ESXi encryptors in its attacks.
Experts believe the attackers most likely went for Colt’s SharePoint servers, which have proved attractive targets for hackers in recent times. Some of these servers were pulled offline after, most likely, being infected with a webshell – and Colt seems to have added firewalls to those servers, following the attack.
Via BleepingComputer
