Pour one out for Colt.
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 14-Aug-2025 01:36:35 JST 
Kevin Beaumont
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 14-Aug-2025 01:42:43 JST
Kevin Beaumont
Colt disappeared yesterday, their status page says "technical issue"
Their customer portal is also MIA: https://online.colt.net
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 14-Aug-2025 19:12:22 JST
Kevin Beaumont
Colt are dealing with what appears to be an undisclosed cyber incident. They firewalled their inbound EU infrastructure on the 12th - org:”COLT EU INFRASTRUCTURE” on Shodan.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 14-Aug-2025 22:29:16 JST
Kevin Beaumont
Colt had ecrime IP addresses talking to a bunch of SharePoint servers (now offline), which also appeared to have webshells on them.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 15-Aug-2025 01:08:25 JST
Kevin Beaumont
Colt's also started isolating some systems on COLT Technology Services Group Limited ASN.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 15-Aug-2025 02:12:52 JST
Kevin Beaumont
Colt have finally confirmed an ongoing cyber incident, after several days of pretending it was a technical issue to customers.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 15-Aug-2025 02:22:34 JST
Kevin Beaumont
Btw although everything is written in the past tense, the customer facing systems (which include data on customers - eg Colt Online) are still offline now and the incident is very definitely still ongoing.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 15-Aug-2025 20:26:16 JST
Kevin Beaumont
Colt are extorted by Warlock ransomware group, they have been for over a week, Colt are trying to cover it up.
Entry likely via sharehelp.colt.net via CVE-2025-53770 as they were interacting with it.
They've stolen a few hundred gig of customer data and documentation and posted a file list on a forum.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 15-Aug-2025 22:01:22 JST
Kevin Beaumont
Here's the forum post, it's a Russian Tor site.
-
Embed this notice
SpiderHat (sp1derh4t@cyberplace.social)'s status on Saturday, 16-Aug-2025 00:25:42 JST 
SpiderHat
@GossiTheDog Argh, I was to late for the filebin. Anyone willing to share or at least provide some info regarding the contents and if the claims are legit?
Kevin Beaumont repeated this. -
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 16-Aug-2025 00:33:24 JST
Kevin Beaumont
Here's Bleeping Computer on the Colt thing: https://www.bleepingcomputer.com/news/security/colt-telecom-attack-claimed-by-warlock-ransomware-data-up-for-sale/
-
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Saturday, 16-Aug-2025 01:14:26 JST
System Adminihater
@GossiTheDog You can tell which ransomware groups Crowdstrike operates by what companies are running that get compromised ;)
-
Embed this notice
casaundra (casaundra@mastodon.social)'s status on Saturday, 16-Aug-2025 02:04:34 JST
casaundra
@Sp1derH4t @GossiTheDog there is mirror of Colt file tree https://file.kiwi/62f9327f#0OTL_nd4fccyLT_BUwIfhg
-
Embed this notice
Royce Williams (tychotithonus@infosec.exchange)'s status on Saturday, 16-Aug-2025 02:57:19 JST 
Royce Williams
@GossiTheDog Since it's just the tree, if someone could snapshot it safetly and put a text-only version of it somewhere (like a GitHub gist), folks would probably appreciate that
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 16-Aug-2025 02:57:21 JST
Kevin Beaumont
There's apparently a mirror of the Colt file name tree here, for any orgs looking to establish their risk. https://mastodon.social/@casaundra/115033551022266815
-
Embed this notice
nothing (nothing@cyberplace.social)'s status on Saturday, 16-Aug-2025 06:38:37 JST
nothing
Has Colt confirmed whether CVE-2025-53770 was actually exploited, or is this still just suspected?
Based on my assumption and experience, this seems more likely to be an attack via a compromised internal host, since telecom giants typically have [W]-based firewalls in place. I'm not sure if that control was bypassed in this case.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 17-Aug-2025 01:15:37 JST
Kevin Beaumont
Colt Technology Services are up on the Warlock ransomware group portal.
List of 400k files they have stolen: https://www.klos.com/~john/colt_filename_tree.txt
I’ve authenticated the filenames are real, eg they include customer documentation and performance reviews of Colt staff.
-
Embed this notice
Quentyn (quentyn@cyberplace.social)'s status on Sunday, 17-Aug-2025 04:04:49 JST
Quentyn
@GossiTheDog there are potentially a lot of passwords that need changing too
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 17-Aug-2025 05:56:39 JST
Kevin Beaumont
Colt also appears in Warlock's FAQ page, it's an echo of their RAMP forum post with a minor change ("Regarding data disclosure, we will selectively disclose certain data.")
My view is Colt shouldn't pay. It is directly funding organised crime - even if paid for via insurance/legal agents - and increases the risk to everybody else.
-
Embed this notice
swoody (swoody@mastodon.social)'s status on Sunday, 17-Aug-2025 20:49:11 JST
swoody
@GossiTheDog just echoing the authentication of this file list - there are documents in here relating to my company's porting relationship with Colt and many others I recognise.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 20-Aug-2025 00:50:35 JST
Kevin Beaumont
Warlock ransomware/extortion group have moved Colt full data unlock time to a week away, and said data auction is in progress.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 20-Aug-2025 20:51:56 JST
Kevin Beaumont
Colt have setup a cyber incident page, set to noindex so Google etc can’t find it, detailing their incident.
https://www.colt.net/go/cyber-incident/
Confirms for first time customer documentation stolen and some scope of systems still offline.
-
Embed this notice
Brian Clark (deepthoughts10@infosec.exchange)'s status on Wednesday, 20-Aug-2025 22:03:31 JST 
Brian Clark
@GossiTheDog I’m worried that they got documentation on their customer network and router configurations. That could open up a lot of new attack paths.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 21-Aug-2025 21:08:42 JST
Kevin Beaumont
The status updates on Colt's website describing a "technical issue" have been removed, replacing it with always being a cyber incident.
Left - internet archive - https://web.archive.org/web/20250814102113/https://www.colt.net/status/
Right - now https://www.colt.net/status/#updates -
Embed this notice
System Adminihater (systemadminihater@cyberplace.social)'s status on Thursday, 21-Aug-2025 21:47:08 JST
System Adminihater
@GossiTheDog Do you by chance know anyone over at MSFT that works in the partner program? lol
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 22-Aug-2025 21:46:04 JST
Kevin Beaumont
Colt are now 10 days into their cyber incident (ransomware), systems are still offline.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 23-Aug-2025 02:24:07 JST
Kevin Beaumont
I've written about the Colt Technology Services ransomware incident, with a focus on learnings for other organisations.
Guest appearance by @leakix for finding the webshell at Colt.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Aug-2025 16:20:29 JST
Kevin Beaumont
Colt are now 15 days into their cyber incident, the same systems are still offline.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Aug-2025 16:26:28 JST
Kevin Beaumont
Colt’s status page has been revised, removing most of the prior updates, with a new bolded statement around customer systems. https://www.colt.net/status/
The separate cyber incident page, detailing what happened, isn’t linked anywhere on their website and is set to noindex: https://www.colt.net/go/cyber-incident/
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Aug-2025 16:29:21 JST
Kevin Beaumont
By repeatedly linking the Colt cyber incident page, I have got it into a Google search for Colt cyber incident though - the content is just hidden from search. https://www.colt.net/go/cyber-incident/
We really should be over the point of companies trying to hide their cyber incidents, it’s race to the bottom stuff.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 27-Aug-2025 16:39:16 JST
Kevin Beaumont
A net side effect of Colt using noindex, btw, is my blog is the top Google hit with a description - it has 5k clicks yesterday from Google - and contains this email.
It’s pretty much a textbook example of Colt’s comms strategy hurting their business.
-
Embed this notice
:hacker_p: :hacker_f: :hacker_t: (pft@infosec.exchange)'s status on Wednesday, 27-Aug-2025 17:16:20 JST 
:hacker_p: :hacker_f: :hacker_t:
@GossiTheDog out of curiosity: how did you discover the page?
-
Embed this notice
Zoidberg Rodríguez (zoid@infosec.exchange)'s status on Wednesday, 27-Aug-2025 18:27:02 JST 
Zoidberg Rodríguez
@GossiTheDog Funny that, as a colt customer, I first read about the incident on mastodon and only a day later I’ve gotten an email from Colt.
-
Embed this notice
Zoidberg Rodríguez (zoid@infosec.exchange)'s status on Wednesday, 27-Aug-2025 19:37:17 JST
Zoidberg Rodríguez
@GossiTheDog Mission accomplished! Thanks. Just read your article as well. Wonder how much data there is. Does this include my clients data (ported numbers) as this might be a clusterf**
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 29-Aug-2025 01:53:16 JST
Kevin Beaumont
If anybody is wondering, Warlock not publishing Colt Technology Services data is intentional, just asked them. Presumably they are negotiating with the victim org.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 01-Sep-2025 17:35:57 JST
Kevin Beaumont
Colt are now on day 20 of their ransomware incident. Same services still down. In the replies here multiple people have also suggested number portability is also down, so telco customers cannot leave.
-
Embed this notice
Dr. Christopher Kunz (christopherkunz@chaos.social)'s status on Monday, 01-Sep-2025 19:22:21 JST 
Dr. Christopher Kunz
@GossiTheDog Do you have any indication that this outage also affects non-UK Colt customers?
-
Embed this notice
A (cwatu@infosec.exchange)'s status on Tuesday, 02-Sep-2025 17:33:39 JST
A
@GossiTheDog my MS teams phone number (bought from MS, not a port in) is a Colt number, this is what it shows when creating a new ticket with teams pstn support. No health advisory in MS admin centre.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 03-Sep-2025 05:35:39 JST
Kevin Beaumont
Microsoft are one of the many orgs caught up in the Colt ransomware incident. They haven't told customers for whatever reason, there's nothing in the O365 status portal for it.
If you use Teams with a purchased phone number... try not to have a problem 🤣 HT @cwatu
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 03-Sep-2025 05:39:24 JST
Kevin Beaumont
Colt have updated their cyber incident page to say they are having problems billing customers and issuing invoices.
However they may still apply late payment charges (good luck with that btw).
-
Embed this notice
James Tinmouth (tinmouth@infosec.exchange)'s status on Wednesday, 03-Sep-2025 05:45:40 JST 
James Tinmouth
@GossiTheDog they do appear to say they'll apply late payment charges IF they manage to invoice correctly.
Thx for your reporting on this BTW 👍
-
Embed this notice
Jernej Simončič � (jernej__s@infosec.exchange)'s status on Thursday, 04-Sep-2025 17:28:16 JST 
Jernej Simončič �
@cwatu @GossiTheDog Is this also why you can't add a phone number to a MS account right now (at least in Europe)?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 06-Sep-2025 01:56:34 JST
Kevin Beaumont
Colt are now on day 24 of their ransomware incident, same systems still down. I've heard from many people now that Colt are downplaying the seriousness of their situation and that they've effectively lost their back office IT.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 10-Sep-2025 02:27:22 JST
Kevin Beaumont
Colt are on day 28 of their ransomware incident.
They’ve updated their cyber incident page, which isn’t linked on their website anywhere and is set to not index on search engines, to say they are committed to transparency.
They’ve entered the recovery phase, where they are rebuilding systems.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 10-Sep-2025 02:29:38 JST
Kevin Beaumont
All of the offline customers systems from day one of the incident are still listed as offline btw.
-
Embed this notice
Alex (alex02@cyberplace.social)'s status on Friday, 12-Sep-2025 05:53:39 JST 
Alex
@GossiTheDog oh no. So uh, is HR going to reimburse for the shovels they keep buying?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 12-Sep-2025 05:53:41 JST
Kevin Beaumont
Colt appear to be outright lying in their latest cyber incident comms to customers. They’re saying the threat actor only post document titles to the dark web, however they neglect to mention they know the attacker C2 server, and they know what files were exfiltrated by the threat actor.
Their IR made a bunch of Opsec errors, including putting their IR reports into public sandboxes and submitting URLs of customer files to VirusTotal. I have receipts.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 13-Sep-2025 05:44:57 JST
Kevin Beaumont
Colt have told some enterprise customers they will be unable to deliver new orders until early 2026.
-
Embed this notice
Damien (damien@layer8.space)'s status on Saturday, 13-Sep-2025 05:57:51 JST 
Damien
@GossiTheDog isn't that roughly their normal lead time?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 16-Sep-2025 23:34:31 JST
Kevin Beaumont
In a new update on their cyber incident, Colt Technology Services say they are aiming to restore a majority of services by or around December. If that completes on time it should be around ~4 months since the incident began.
-
Embed this notice
nothing (nothing@cyberplace.social)'s status on Sunday, 21-Sep-2025 00:17:55 JST
nothing
@GossiTheDog came up again to have latest on this. Seeing few of your post has been deleted ?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 22-Sep-2025 23:23:46 JST
Kevin Beaumont
Been asked for an update on Colt Technology Services ransomware incident... there is none. The same services offline since day one of the incident (August 12th) are still offline today.
-
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 22-Sep-2025 23:26:48 JST 
翠星石
@GossiTheDog >Using microsoft software even once.
Nothing was stolen - as the data still is there no matter how many copies you make - rather the data was exfiltrated. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 22-Sep-2025 23:33:08 JST
翠星石
@GossiTheDog Why would deleting the backups delete the original copy?
Regardless, copying or deleting data is not theft and therefore nothing was stolen even if data was exfiltrated followed by deletion of the original data. -
Embed this notice
hecklefish (hecklefish@infosec.exchange)'s status on Tuesday, 23-Sep-2025 00:02:59 JST 
hecklefish
@GossiTheDog Im guessing they didn't pay up
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 25-Sep-2025 02:39:46 JST
Kevin Beaumont
Colt's published an update for customers on their ransomware incident. https://www.colt.net/go/cyber-incident/#update
-
Embed this notice
Andrei Kucharavy (andrei_chiffa@mastodon.social)'s status on Thursday, 25-Sep-2025 02:51:47 JST 
Andrei Kucharavy
@GossiTheDog "Recent cyber incident targeting our Business Support System (BSS)" - are they saying it was Salesforce compromise? Potentially an exploit chain stemming from the Salesloft breach from August?
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 02-Oct-2025 02:31:40 JST
Kevin Beaumont
Colt said they would have key capabilities restored at the beginning of October. It’s October now and the same systems are still offline, and they’ve published no weekly update. https://www.colt.net/go/cyber-incident/
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 02-Oct-2025 20:11:35 JST
Kevin Beaumont
It turns out Colt have decided to stop updating their cyber incident page (hidden from Google) and started emailing the same template to customers instead, while talking about their commitment to transparency. Here’s their latest update.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 08-Oct-2025 04:10:32 JST
Kevin Beaumont
Colt Technology Services have decided to start updating their cyber incident page again. In their latest update, dated both 29th September, 2025 and 6th October, 2025, they say they have rebuilt 2/3rd of their laptops so far, almost two months into the incident. As far as I know this is the first confirmation ransomware made it to laptops.
I pinged a staff member on LinkedIn who said they haven’t had a PC for the duration of the incident 😬
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 18-Oct-2025 04:56:17 JST
Kevin Beaumont
It’s just over 2 months into the Colt Technology Services ransomware incident. Their billing system is now back online so they’re invoicing customers for prior months, and they’re working on service restoration (really full rebuilds).
They’ve also set up a separate page about their cyber incident which is set to index on Google - however it says nothing about what actually happened, instead doing the Obama medal on itself for response. The actual customer page with updates is set to noindex.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 18-Oct-2025 04:57:14 JST
Kevin Beaumont
Colt are still my biggest fans on LinkedIn, it’s several thousand visits this month over this thread 😅
for the record I know they’re the victim and I know these incidents suck. But it’s kinda important there’s external coverage of these things, especially when it relates to Critical National Infrastructure firms.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 24-Oct-2025 01:20:28 JST
Kevin Beaumont
Colt restored their VMware Horizon remote access system today
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 31-Oct-2025 23:10:02 JST
Kevin Beaumont
Latest on Colt Technology Services restoration from Warlock ransomware incident, they're approaching 3 months since their incident began.
-
Embed this notice
All GNU social JP content and data are available under the