Cyberdudebivash

CyberDudeBivash Global Threat Intel — 15 Aug 2025

Executive summary.

  • Telco outage: UK telecom Colt Technology Services is battling a multi-day cyber incident; ransomware group WarLock now claims the attack and is leaking data. Customer portal/Voice API/hosting affected; recovery is ongoing. The RegisterTechzine GlobalBleepingComputer
  • Protocol-level DoS: New HTTP/2 “MadeYouReset” class of vulnerabilities enables low-cost server resource exhaustion across multiple implementations (patches rolling out). The Cloudflare BlogImpervaAkamaiNVD
  • India heritage target: Sree Padmanabhaswamy Temple (Thiruvananthapuram) had its main server breached; operational data stolen/deleted, but physical security systems unaffected. Case registered under India’s IT Act; probe in progress. The Times of India
  • Regional ransomware: Charon ransomware campaigns continue against Middle-East public/aviation sectors with APT-style evasion. The Hacker NewsSecurity Affairs
  • Strategic risk watch: The Microsoft–Nayara Energy dispute highlights supply-chain/sovereignty risk when critical workloads depend on foreign SaaS platforms. The Economic Times

1) Colt Technology Services — service disruption & data leak

What’s new: Colt took Colt OnlineVoice API, and other systems offline as a protective measure following a breach (outage since Aug-12). WarLock claims responsibility and is selling stolen data. The RegisterTechzine GlobalBleepingComputer

Risk: Downstream impact to enterprise comms (porting, APIs), third-party data exposure, potential BEC/phishing waves using leaked customer info. BleepingComputer

Defender actions (today):

  • Rotate Colt-integrated API keys, SSO secrets, and admin passwords; audit access logs for anomalous token use since Aug-12.
  • Temporarily restrict allow-lists to known Colt IPs; monitor for typosquatting or phishing impersonating status portals.
  • If you’re a carrier or MSP: isolate management planes; validate backups of provisioning/number-porting systems.

2) HTTP/2 “MadeYouReset” DoS (multiple CVEs across projects)

What it is: A logical flaw in HTTP/2 stream handling lets an attacker rapidly open/reset streams (or send malformed frames) to exhaust server resources — simple traffic can knock sites over if servers are unpatched. Vendors report impact across Netty, Jetty, Tomcat, IBM WebSphere, F5 BIG-IP and others; CDN providers deployed mitigations. The Cloudflare BlogImpervamy.f5.comAkamaiNVD

Who’s affected: Any public-facing HTTP/2 service behind affected implementations or proxies without mitigations. Cloudflare notes its Rapid Reset protections already neutralize this vector for customers. The Cloudflare Blog

Patch & mitigate (priority order):

  1. Patch your stack (e.g., Netty ≥ 4.1.124.Final/4.2.4.Final; check your vendor advisories). NVD
  2. Rate-limit/reset heuristics on HTTP/2 control frames; enable CDN/WAF “protocol anomaly” rules. The Cloudflare BlogAkamai
  3. Fallback to HTTP/1.1 for unauthenticated endpoints during attack windows if needed. Imperva

SOC watch items: Spikes of RST_STREAM/GOAWAY anomalies, sudden increases in concurrent streams, high HTTP 4xx with low bandwidth—especially from few IPs.

3) Sree Padmanabhaswamy Temple breach (India)

What happened: Adversaries breached the temple’s main server, stealing and deleting operational data. Security-system files remained intact; first known cyber incident of this site. Investigation registered under IT Act Sections 43/65/66The Times of India

Why it matters: Cultural-heritage institutions are emerging targets; even without physical compromise, operational disruption and public trust erosion are significant.

Recommendations:

  • Segregate security-system networks from admin/ops servers; immutable offline backups for ops data; rapid IR + forensics with log preservation and MFA on all remote access.
  • Public-facing comms plan to deter copycats and reduce disinformation.

4) Charon ransomware — APT-style tradecraft in the Middle East

Summary: New Charon family uses victim-specific notes, EDR evasion, and advanced lateral movement against public/aviation sectors. Faster encryption and stealthy staging observed. The Hacker NewsSecurity Affairs

Defender focus:

  • Hunt for Cobalt Strike/CrossC2/ToolShell beacons, SMB enumeration bursts, and unexpected archive tools; block shadow-copy deletions; enforce application allow-listing on jump hosts. The Hacker News

Rapid checks your team can do today

  • External: Scan for HTTP/2 exposure and confirm vendor patch levels; place vulnerable apps behind a WAF/CDN with protocol-attack rules on. The Cloudflare BlogImpervaAkamai
  • Identity: Rotate Colt-integrated secrets; monitor for sudden portal/API logins from new ASN/geo since Aug-12The RegisterBleepingComputer
  • Ransomware: Pre-position EDR isolation scripts; verify immutable backups + restore tests for Tier-0 services. The Hacker News

CyberDudeBivash Expert Note

“Protocol-level DoS and supplier outages can cascade fast. Treat HTTP/2 patching and third-party dependency reviews as change-control #1 this week. Cultural and critical infrastructure targets are firmly in scope — prepare your playbooks accordingly.” — CyberDudeBivash

Published by CyberDudeBivash — your daily dose of ruthless, engineering-grade threat intelligence.
🔗 cyberdudebivash.com | Follow for live intel: #CyberDudeBivash #ThreatWire #CyberSecurity #ThreatIntel #Ransomware #HTTP2 #DoS #IR

Leave a comment

Design a site like this with WordPress.com
Get started