Colt Technology Services’ internal systems remain down after a suspected ransomware attack; WarLock gang claims to have stolen 1 million documents, demanding $200K ransom

Colt Technology Services is grappling with service disruptions after a cyber incident identified in mid-August. The WarLock ransomware group claims to have stolen 1 million internal documents, including employee and customer data, and is demanding $200,000. Colt continues manual incident response while restoring automated monitoring, as experts warn the attack underscores systemic telecom vulnerabilities.

Colt Technology Services, a multinational telecom provider, is scrambling to restore services after a cyber incident detected during the week of August 12 crippled key internal systems. The backup and support portals, including Colt Online and the Voice API platform, remain offline. The WarLock ransomware gang is claiming responsibility and has offered 1 million allegedly stolen documents for $200,000.

• The incident began in the week of August 12, affecting internal systems—not client infrastructure—but disrupting support services.
• WarLock ransomware has claimed responsibility, offering to sell “1 million documents” (salary info, customer contacts, executive emails) for $200,000.
• Colt proactively shut down affected systems and implemented manual monitoring processes. Restoration efforts are ongoing with forensic and law enforcement collaboration.
• Cybersecurity researcher Kevin Beaumont authenticated leaked filenames—including performance reviews and customer documentation—and highlighted possible exploitation of the ToolShell SharePoint zero-day vulnerability.

Investigative and Expert Insights
Beaumont suspects attackers targeted a SharePoint server exposed publicly (sharehelp.colt.net), potentially deploying webshells. He referenced Microsoft’s earlier warning about Storm-2603 exploiting ToolShell.

Colt said its incident response team—bolstered by third-party forensics and authorities—is working 24/7 to restore services.

“This is a wake-up call for critical infrastructure providers,” said El Mostafa Ouchen, cybersecurity author and practitioner. “Ransomware groups are exploiting unpatched enterprise platforms like SharePoint to gain a foothold. When attackers combine data theft with system disruption, organizations face double extortion. Telecom operators must prioritize segmentation, rapid patching, and zero-trust architecture to reduce systemic risk.”

Technical Analysis

How the Attack Likely Unfolded

• Initial exploit vector: probable compromise of on-prem SharePoint via the ToolShell zero-day vulnerability—Storm-2603 was known to exploit this.
• Lateral movement: intruders could have deployed a webshell to traverse infrastructure and access file repositories holding sensitive internal and customer data.
• Ransomware deployment: WarLock claims to possess 1 million files; the gang is leveraging extortion via stolen data on dark web leak sites.

Detection and Response

• Colt appears to have detected anomalous activity early, isolated internal systems, and immediately shut them down to prevent further spread.
• The company shifted to manual incident response, maintaining essential network monitoring without automated tools.

Mitigation Steps

• Rapid incident response, including isolating affected systems and involving cybersecurity experts and law enforcement.
• Securing exposed infrastructure—immediate plugging of SharePoint access points and webshell removal.
• Enhancing detection capabilities to preempt or identify similar attacks.
• Strengthening segmentation of internal tools from customer-facing infrastructure.

Impact & Response

Who’s affected:

• Colt customers—including businesses relying on the company’s support portals and Voice APIs—face service unavailability and disruption to operations.
• Internal stakeholders may face data exposure (salaries, executive emails, etc.), raising privacy and compliance concerns.

Actions Taken:

• Colt continues 24/7 investigations with forensic specialists and law enforcement; it’s still performing incident management manually while restoring systems.
• Customers are advised to use email or phone channels instead of impacted portals.

Long-Term Implications:

• Reputational damage for Colt, given the assertion of no customer data exposure is contestable amid leaked files.
• This breach could drive stronger regulation or scrutiny around telecom cybersecurity.
• Other critical infrastructure providers may reassess the security of on-prem systems, especially legacy platforms like SharePoint.

Background

Telecoms have increasingly become ransomware targets due to their strategic importance and potential to generate widespread disruption. The ToolShell SharePoint zero-day has been previously reported under active exploitation by threat actor Storm-2603.
Attacks on critical infrastructure raise alarm since downtime can ripple into broader economic and national security consequences.

Conclusion

Colt Technology Services is in a full-scale response to a cyberattack suspected to involve the WarLock ransomware gang. With outages persisting and 1 million documents allegedly stolen, experts say the incident underscores the need for telecoms and other critical providers to modernize security architectures and adopt zero-trust, patch discipline, and proactive resilience strategies.

Sources

• BankInfoSecurity – Ransomware Allegations Surface As Colt Outages Continue
• Dark Reading – Colt Telecommunications Struggles in Wake of Cyber Incident
• The Register – London Telco Colt’s Services Disrupted Amid Cyberattack
• Teiss – Cyber Incident at Colt Highlights Growing Threats to Critical Infrastructure

Free support ends October 14, 2025; new KB5063709 unlocks Extended Security Updates enrollment to keep critical patches flowing through October 2026.

Microsoft is warning Windows 10 users that free security updates end on October 14, 2025. A new cumulative update, KB5063709, enables a built-in enrollment flow for the Extended Security Updates (ESU) program, offering another year of fixes to October 13, 2026. Edge and WebView2 will still receive updates on Windows 10 until 2028.

With less than two months before Windows 10 reaches end of support, Microsoft has issued a final security warning: after October 14, 2025, no more free fixes. A fresh update, KB5063709, now exposes an “Enroll in Extended Security Updates” option inside Windows Update to help users secure one more year of patches.

• End of free support: Windows 10 (22H2) stops receiving free security updates on Oct. 14, 2025.
• Bridge program: Microsoft’s Consumer ESU extends security fixes to Oct. 13, 2026; enrollment is now available from Settings after installing KB5063709.
• Browser exception: Microsoft Edge and WebView2 Runtime will keep updating on Windows 10 through at least Oct. 2028—even if you don’t buy ESU.
• Scale: Windows 10 still represents roughly 43% of active Windows desktops worldwide (Statcounter, July 2025).

“After October 14, 2025… Microsoft will no longer provide security updates or fixes.” — Microsoft support page. Microsoft Support

“KB5063709… includes a fix for a bug that prevented enrollment in extended security updates.” — BleepingComputer (Aug. 12, 2025). BleepingComputer

“Edge and the WebView2 Runtime will continue to receive updates on Windows 10… until at least October 2028.” — Microsoft Edge lifecycle. Microsoft Learn

A separate storyline continues to roil the transition: a California lawsuit alleges Microsoft set the 2025 cutoff to push AI-ready PCs; Microsoft points to ESU as a safety net, but litigation underscores user anxiety about older, ineligible hardware.

What’s changing on Patch Tuesday:

• KB5063709 (Aug. 2025): Required to expose the ESU enrollment UI under Settings → Update & Security → Windows Update. It also resolves the enrollment-wizard crash and rolls in July’s security fixes (including one zero-day).

Enrollment mechanics (consumer ESU):

• Prereqs: Windows 10 22H2, admin rights, and Microsoft account sign-in (local accounts are not supported for ESU).
• Cost options: $30 one-year ESU, 1,000 Microsoft Rewards points, or free if you enable OneDrive settings sync—all visible in the built-in wizard after KB5063709.

Risk surface if you skip ESU:

• Unpatched remote code execution and privilege-escalation flaws accrue monthly across the kernel, Win32k, networking stack, printing, and driver ecosystems. Even with a supported browser, OS-level exposures (SMB, RPC, LSA, Credential Guard bypasses) remain unmitigated. (Derived from Microsoft monthly CVE cadence; see KB5063709 advisory context.)

Mitigations checklist (if you must remain on Windows 10):

1. Enroll in ESU and keep Windows Defender/EDR signatures current.
2. Harden attack surface: disable legacy protocols (SMBv1), restrict RDP, enforce LSA protection, and require smartcard/Windows Hello where possible. (General guidance aligned with Microsoft security baselines.)
3. Application control: enable ASR rules and Smart App Control-equivalents; prefer standard user rights.
4. Network containment: segment legacy Windows 10 devices; use firewall allow-lists and zero-trust access.
5. Browser updates: keep Edge/WebView2 current; isolate risky web apps in Application Guard where available.

Impact & Response

Who’s affected: Home users, SMBs, schools, and agencies still running Windows 10—hundreds of millions of devices globally. Statcounter shows Windows 10 usage near 43% in July 2025, meaning a large residual population will face patch gaps without ESU.

Actions to take now:

• Install KB5063709, then open Windows Update → Enroll in Extended Security Updates and choose a plan.
• Plan upgrades to Windows 11 24H2+ or supported alternatives; Microsoft reiterates Oct. 2025 as the firm cutoff for free updates.

Long-term implications: Expect shrinking driver/app support and rising exploit availability on unpatched systems, even as browsers continue to update through 2028.

Background

Microsoft set Windows 10 22H2 as the final feature version and has repeated the Oct. 14, 2025 deadline since 2023–24 guidance. ESU is designed as a temporary bridge, not a multi-year extension. Browser support to 2028 offers partial protection, but it does not replace OS security hardening.

• “ESU buys time—but not immunity. Treat it like a controlled exit ramp: enroll now, apply strict hardening (kill SMBv1, lock down RDP, enforce LSA protection), and move critical workloads to supported platforms within 12 months. The cost of delaying migration will be paid in incident response.” — El Mostafa Ouchen, cybersecurity author & practitioner.
• Microsoft (support notice):
  “After October 14, 2025… we will no longer provide security updates or fixes.”
• BleepingComputer (on KB5063709):
  “The update… fixes a bug that prevented enrollment in extended security updates.”
• Microsoft Edge team (lifecycle policy):
  “Edge and WebView2 will continue to receive updates on Windows 10 until at least October 2028.”

Conclusion

Microsoft’s warning is unambiguous: Windows 10’s free patch era ends on October 14, 2025. The KB5063709 + ESU path is a short-term safety measure to October 2026, not a strategy. Organizations and households should enroll if needed—but prioritize upgrading or retiring Windows 10 endpoints to reduce exposure as exploit pressure rises.

Russian-linked group EncryptHub is impersonating IT staff on Microsoft Teams, walking victims into remote sessions, then abusing CVE-2025-26633 (“MSC EvilTwin”) to execute rogue .msc consoles and drop Fickle Stealer. Microsoft patched the bug, but unpatched Windows endpoints remain at risk.

A new campaign weaponizes trust in collaboration tools. Attackers pose as IT on Microsoft Teams, coax employees into remote access, and run PowerShell that pulls a loader exploiting CVE-2025-26633 in Microsoft Management Console. The flaw—now added to CISA’s KEV—lets a malicious .msc run when its benign twin is launched. Patch and tighten verification controls immediately.

A social-engineering wave is turning Microsoft Teams into a beachhead. Adversaries masquerade as internal help-desk staff, request remote access, and execute PowerShell that fetches a loader which plants twin .msc files. When mmc.exe opens the legitimate console, Windows loads the attacker’s EvilTwin from the MUIPath directory, handing over code execution.

“Social engineering remains one of the most effective tools… attackers impersonate IT support, gain trust and remote access, and ultimately deploy suspicious tools,” Trustwave SpiderLabs reported. Trustwave

What’s new in this campaign

• Initial access via Teams impersonation. Operators send Teams requests as “IT” and guide the user into a remote session.
• PowerShell loader. Typical first command: powershell.exe -ExecutionPolicy Bypass … Invoke-RestMethod … runner.ps1 | iex, which drops twin .msc files.
• Exploit: CVE-2025-26633 / “MSC EvilTwin”—an MMC security-feature bypass that prioritizes a localized .msc in MUIPath (e.g., en-US) over the benign one. Patched by Microsoft in March 2025; listed by CISA KEV.
• Payloads and tooling. Fickle Stealer for data theft; SilentCrystal (Go loader) abusing Brave Support as a dropper; SOCKS5 backdoor for C2.

Demonstration (defender’s view, not exploit code)

1. The lure: A user accepts a Teams contact from “IT Support.” A remote session starts.
2. Command drop: Attacker runs a single PowerShell line (ExecutionPolicy Bypass) that downloads runner.ps1 from cjhsbam[.]com.
3. EvilTwin setup: The script writes two identically named .msc files; the malicious copy sits in …\System32\en-US (or a mock “C:\Windows␠\System32” with a trailing space), then mmc.exe loads the malicious one first.
4. Post-exploit: Persistence, AES-encrypted tasking over C2, and optional info-stealing via Fickle Steal

Why this works

• Trust channel abuse: Users expect help-desk on Teams; the UI looks familiar. Prior research shows Teams vishing has delivered RATs and ransomware before.
• Living-off-the-land: PowerShell + signed Windows binaries (mmc.exe) keep telemetry subtle.
• Path precedence edge case: The MUIPath lookup lets a malicious localized .msc hijack execution—now patched, but effective on lagging fleets.

“Treat every ‘IT support’ request in Teams as untrusted until proven otherwise. Make users verify out-of-band, and make admins verify the OS. If your estate isn’t patched for CVE-2025-26633, you’re one click away from handing attackers mmc.exe on a silver platter. Block the social angle, patch the technical angle, and hunt for ExecutionPolicy Bypass like your business depends on it—because it does.” — El Mostafa Ouchen

Immediate actions (enterprise)

1) Patch priority

• Deploy March 2025 Windows updates that remediate CVE-2025-26633 across client and server. Validate compliance in WSUS/Intune/ConfigMgr; confirm exposure via MSRC / NVD.

2) Harden Teams trust boundaries

• Restrict External Access to allow-list domains; disable unsolicited chats from unknown tenants.
• Create a help-desk verification policy: no remote control unless the user initiates via the corporate portal/ticket, plus callback via a known internal number. (Microsoft and industry advisories consistently warn about tech-support impersonation.)

3) Detections to turn on today

• PowerShell: alert on -ExecutionPolicy Bypass, Invoke-RestMethod, DownloadString, or Invoke-Expression launched from Teams, Teams.exe child, or interactive sessions.
• MMC/EvilTwin indicators:
  • mmc.exe loading .msc from MUIPath (…\System32\en-US*.msc) or paths with trailing spaces (e.g., C:\Windows␠\System32).
  • Unexpected writes to localized .msc directories.
  • New .msc files followed by immediate mmc.exe execution.

Sample KQL (Microsoft Defender XDR)

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("-ExecutionPolicy Bypass","Invoke-RestMethod","Invoke-Expression","DownloadString")
| summarize count() by DeviceName, InitiatingProcessFileName, ProcessCommandLine, bin(TimeGenerated, 1h)

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "mmc.exe"
| where FolderPath has_any (@@"\System32\en-US\", @"\Windows \System32") // note the space before \System32
| summarize count() by DeviceName, FolderPath, InitiatingProcessCommandLine, bin(TimeGenerated, 1h)

4) Reduce blast radius

• Enforce ASR rules (e.g., block Office/Win32 child processes), Constrained Language Mode where feasible, and Device Control to prevent unauthorized admin tools.
• WDAC/AppLocker: explicitly allow only known-good .msc; deny execution from localized resource folders and user-writable paths.

5) People & process

• Run an awareness micro-module: “Never accept unsolicited remote-access on Teams. Verify via ticket + callback.”
• Table-top a scenario: help-desk impersonation → PowerShell dropper → MMC exploit → C2.

Indicators & context

• Domains/paths seen: cjhsbam[.]com, rivatalk[.]net, safesurf.fastdomain-uoemathhvq.workers.dev; twin .msc technique; AES-tasking over C2; SilentCrystal loader; SOCKS5 backdoor.
• Attribution & scope: EncryptHub (aka LARVA-208 / Water Gamayun) active since 2024; >600 orgs claimed impacted in reporting.

The bigger picture

Abuse of “work-trusted” channels (Teams, Slack, Quick Assist) is now routine in ransomware and stealer operations. Recent cases show Teams vishing setting up RAT installs and “support” sessions that end in domain compromise. The platform isn’t the problem; trust without verification is.

Bottom line

This campaign fuses social engineering with a Windows path-precedence quirk. If you patch CVE-2025-26633, lock down Teams external contact, verify support out-of-band, and hunt for Bypass-heavy PowerShell, you turn a high-probability breach into a blocked pop-up.

One-Page SOC Playbook (Teams “Request Remote Access” abuse)

Detect, contain, and prevent Teams-led social engineering that results in malicious .msc execution and data theft.

1) Patch & Exposure

• Deploy the March 2025 Windows updates addressing CVE-2025-26633 to all supported builds.
• Verify posture via WSUS/Intune/ConfigMgr compliance reports; track exceptions with a 48-hour SLA.

2) Microsoft Teams Guardrails

• External Access: Move to allow-list of trusted tenants; disable unsolicited chats from unknown domains.
• Support workflow: No remote control unless initiated from the corporate portal/ticket, plus callback verification from a published internal number.
• Education: 10-minute module: “Never accept unsolicited remote access.”

3) Detections to Enable (Microsoft Defender XDR – KQL)

A. PowerShell dropper patterns (bypass + web fetch):

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("-ExecutionPolicy Bypass","Invoke-RestMethod","Invoke-Expression","DownloadString","iwr","iex")
| project Timestamp=TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName
| order by Timestamp desc

B. Teams as the launchpad (PowerShell child of Teams):

DeviceProcessEvents
| where FileName =~ "powershell.exe"
| where InitiatingProcessFileName has_any ("Teams.exe","ms-teams.exe")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountSid, AccountName
| order by TimeGenerated desc

C. MMC loading suspicious .msc (localized folders / path tricks):

DeviceImageLoadEvents
| where InitiatingProcessFileName =~ "mmc.exe"
| where FolderPath has @"\System32\en-US\" or FolderPath has @"\Windows \System32" // note possible trailing space
| project TimeGenerated, DeviceName, FolderPath, InitiatingProcessCommandLine
| order by TimeGenerated desc

D. Unexpected .msc file writes (resource folders):

DeviceFileEvents
| where FileName endswith ".msc"
| where FolderPath has @"\System32\en-US\"
| where InitiatingProcessFileName in~ ("powershell.exe","wscript.exe","cscript.exe")
| project TimeGenerated, DeviceName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc

4) Containment & Hardening

• Isolate device in EDR if any rule above fires + user confirms unsolicited “IT” contact.
• Revoke tokens (AAD sign-ins, OAuth grants) and reset credentials from a known-clean host.
• ASR rules: Block abuse of LOLBins (Office child processes, script abuse); audit → enforce.
• WDAC/AppLocker: Allowlist known-good .msc; deny execution from localized resource folders and user-writable paths.
• PowerShell CLM where feasible; log Script Block/Module events to SIEM.

5) Comms & Aftercare

• Notify impacted users; provide a one-page “verify IT requests” reminder.
• Run retro hunt for the past 30–60 days with the KQL above; export findings for IR.
• Add the scenario to quarterly table-top: Teams impersonation → remote session → PowerShell → MMC hijack.

KPIs: Patch compliance ≥98% within 72h; zero unsolicited remote-access approvals; MDE detections triaged <1h; mean-time-to-isolation <15m.

Sources:

• CyberSecurityNews: Teams impersonation + remote access flow and runner.ps1 details. Cyber Security News
• Trustwave SpiderLabs: technical breakdown (EvilTwin, MUIPath precedence, SilentCrystal, IOCs). Trustwave
• Trend Micro: CVE-2025-26633 “MSC EvilTwin” analysis and Water Gamayun/EncryptHub link. Trend Micro
• NVD/MSRC: CVE-2025-26633 description and references. NVDMicrosoft Security Response Center
• CISA: KEV listing/alert for CVE-2025-26633. CISA
• Fortinet: Fickle Stealer capabilities/background. Fortinet