CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Colt Technology Services Experiences Cyber Incident Impacting Services

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Colt Technology Services, a UK-based telecommunications company, has confirmed a cyber incident affecting its internal systems and customer-facing platforms. The incident began on August 12, 2025, causing disruptions to the Colt Online Platform and Voice API. The company has taken protective measures, including taking systems offline, to mitigate the impact. A threat actor, cnkjasdfgd, claims to have stolen 1 million documents and is offering them for sale. The incident has led to manual operation of some services and delayed response times. The cyber incident has affected Colt's ability to provide automated monitoring and support services, forcing the company to operate in a more manual manner. The threat actor, associated with the WarLock ransomware gang, has published data samples allegedly containing financial, employee, and customer information. The Warlock ransomware gang is auctioning the stolen documents and has been exploiting a SharePoint vulnerability to breach corporate networks.

Timeline

  1. 21.08.2025 23:41 πŸ“° 1 articles Β· ⏱ 25d ago

    Warlock ransomware gang exploits SharePoint vulnerability to breach networks

    The Warlock ransomware gang, attributed to Chinese threat actors, has been exploiting a SharePoint vulnerability to breach corporate networks and deploy ransomware. The gang uses the leaked LockBit Windows and Babuk VMware ESXi encryptors in their attacks and demands ransom ranging between $450,000 and millions of dollars.

    Show sources
    Open in new tab
  2. 15.08.2025 21:12 πŸ“° 2 articles Β· ⏱ 1mo ago

    Colt Technology Services Confirms Cyber Incident Affecting Services

    On August 12, 2025, Colt Technology Services acknowledged service disruptions affecting the Colt Online Platform and Voice API. The company detected a cyber incident on an internal system on August 14, 2025, and took protective measures, including taking systems offline. A threat actor, cnkjasdfgd, claims to have stolen 1 million documents and is offering them for sale. The incident has led to manual operation of some services and delayed response times. The Warlock ransomware gang is auctioning the stolen documents, which include financial information, network architecture data, and customer information.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.

Open in new tab

Jaguar Land Rover Production Disrupted by Cyberattack

Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted its production and retail operations. The attack prompted the company to shut down several systems to mitigate the impact. Customer data was compromised, and the exact nature of the attack and the timeline for recovery remain unclear. The incident affected multiple systems, including those at the Solihull production plant, where popular models like the Land Rover Discovery and Range Rover are manufactured. The attack occurred over the weekend, a common time for such incidents due to reduced response capabilities. This is the second cyberattack JLR has suffered this year, raising concerns about potential vulnerabilities from the previous attack. JLR has extended the production shutdown for another week, with operations expected to resume on September 24, 2025. The company is still investigating the incident and has not attributed the breach to a specific cybercrime group.

Open in new tab

Ransomware Attack on Pennsylvania Attorney General's Office

The Pennsylvania Attorney General's Office suffered a ransomware attack that has caused a three-week service outage. The attack encrypted files, disrupting systems and services, including the public website, email accounts, and landline phones. The office refused to pay the ransom. The investigation is ongoing, and the extent of data exfiltration is unknown. The attack began on August 11, 2025. The office is partially recovering services, but the website remains inaccessible. Courts have issued time extensions for ongoing cases. The impact on criminal prosecutions, investigations, or civil proceedings is expected to be minimal.

Open in new tab

Malicious nx Packages Exfiltrate 2,349 GitHub, Cloud, and AI Credentials

A supply chain attack on the nx build system allowed attackers to publish malicious versions of the popular npm package and auxiliary plugins. These versions contained data-gathering capabilities that exfiltrated 2,349 credentials from GitHub, cloud, and AI services. The attack occurred on August 26, 2025, affecting multiple versions of the nx package and related plugins. The compromised packages were removed from the npm registry, and users were advised to rotate credentials and check for malicious modifications in their systems. The malicious packages scanned file systems, collected credentials, and posted them to GitHub repositories under the users' accounts. The attack exploited a vulnerable workflow introduced on August 21, 2025, which allowed for arbitrary command execution and elevated permissions. The attack took approximately four hours from start to finish, resulting in the exfiltration of around 20,000 sensitive files. The attackers used AI-powered CLI tools to dynamically scan for high-value secrets and modified shell startup files to crash the system upon terminal session opening. A second attack wave was identified on August 28, 2025, affecting over 190 users/organizations and over 3000 repositories. The second wave involved making private repositories public and creating forks to preserve data. The attack unfolded in three distinct phases affecting 2,180 accounts and 7,200 repositories. The first phase impacted 1,700 users and leaked over 2,000 unique secrets. The second phase compromised 480 accounts and exposed 6,700 private repositories. The third phase targeted a single organization, publishing an additional 500 private repositories.

Open in new tab

AI-Powered Ransomware 'PromptLock' Under Development

A new AI-powered ransomware strain named 'PromptLock' has been discovered by ESET researchers. This ransomware uses an AI model to generate scripts on the fly, making it difficult to detect. The malware is currently in development and has not been observed in active attacks. It is designed to exfiltrate files, encrypt data, and potentially destroy files. The ransomware was uploaded to VirusTotal from the United States and is written in the Go programming language, with variants for Windows, Linux, and macOS systems. The Bitcoin address associated with PromptLock appears to belong to Satoshi Nakamoto. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine.

Open in new tab