One Missed Call, 850,000 Pwned
How Warlock Turned Orange's Support Portal Into a Weapon
In the time it takes a Parisian barista to steam a single cappuccino, the Warlock gang hijacked Orange's support dashboard and spilled four gigabytes of business customer secrets.
Critical Alert
Warlock ransomware infiltrated Orange Telecom's business customer portal through stolen session cookies, compromising 850,000 business accounts and stealing 4.2GB of sensitive data in just 9 minutes.
When the "Hello, How Can I Help You?" Portal Became a Weapon
| Date (CEST) | Event |
|---|---|
| 03 Jun 09:14 | Warlock affiliate logs in to Orange Business Customer Portal via stolen technician cookie (no MFA) |
| 03 Jun 09:17 | Lateral pivot to SAP CRM; 4.2 GB of client contracts, SLAs, and POs compressed & staged |
| 03 Jun 09:26 | Rclone uploads archive to Mega + Dropbox; on-prem EDR flags anomaly but alert auto-closed (false-positive fatigue) |
| 04 Jun 14:00 | Warlock posts proof-pack (passports, NDAs, pricing sheets) on dark-web blog; 72-hour ransom clock starts |
| 06 Jun | Orange isolates portal, resets 12k support accounts, notifies CNIL (French DPA) within 48h |
| 12 Jun | Deadline passes; entire 4 GB dumped free; 850k French & Spanish business customers urged to freeze credit lines |
"Orange Business Services regrets to confirm that a cyber-attack targeted its B2B customer portal… no evidence of core network compromise."
— Orange press release, 07 Jun 2025
Fallout: From Boardrooms to SIM-Swap Scams
Business accounts touched—enterprise SIMs, leased lines, SD-WAN contracts
Signed NDAs leaked; competitors now know Orange wholesale prices
Stolen from three French crypto traders within 10 days via SIM-swap attacks
Potential GDPR fine from CNIL investigation (2% of global turnover)
Kill-Chain Deconstructed: SAP CRM via Cookie Hijack
| MITRE Tactic | Technique | Orange Reality |
|---|---|---|
| Initial Access | T1539 | Support engineer logged in from personal Chromebook; infostealer exported cookie 48h earlier |
| Execution | T1059.003 | cmd /c rar a -hpWarlock2025 to stage archive |
| Collection | T1560.001 | 4.2 GB split into 50 MB chunks to evade DLP size limit |
| Exfiltration | T1567.002 | Rclone to Mega + Dropbox over HTTPS 443—no SSL inspection on outbound proxy |
| Impact | T1486 | Warlock binary deployed but NOT executed—pure extortion via threat of dump |
Root Causes: The Cappuccino Window of Doom
- 1
Session cookies valid for 30 days—no re-auth prompt when IP changes
- 2
Missing MFA on SAP CRM launchpad—flagged 2023, "road-mapped" for 2026
- 3
DLP fatigue: >200 false-positives/day → analyst auto-closed alert without review
- 4
Flat VLAN: support portal → CRM → finance file-share on same Layer-2 segment
Expert Insight: "Your Cookie Is Your Crown Jewels"
"Orange shows that session hijacking is the new password spray. If cookies live longer than milk, attackers will drink them."
— Etienne Greeff, CTO, SecureData
Five NIST Controls That Slam the Window Shut
Short-lived, binding cookies
8-hour TTL + device fingerprinting; re-auth on IP/Geo change
Phishing-resistant MFA
FIDO2 keys for all portal admins; push-number-matching for staff
Zero-trust network segmentation
Micro-segment CRM from support VLAN; SDP gateway enforces least privilege
DLP tuning + SOAR
ML-based threshold; auto-create ServiceNow ticket on >100 MB outbound
Continuous vendor monitoring
Quarterly cookie-audit; pen-test vendor portals before renewal
Quick-Start Playbook: What to Do Before the Next Call
Revoke all active cookies in Okta/Azure AD; force re-auth + MFA
Shorten session TTL to <12h; enable device-bound cookies
Deploy FIDO2 keys for tier-0 support staff; no SMS fallback
Integrate DLP with SOAR; auto-quarantine uploads >50 MB
Red-team cookie-hijack exercise; measure dwell time from portal → CRM
The Cappuccino Challenge
Warlock spent nine minutes inside Orange's CRM, but the initial breach took the same 180 seconds your barista needs to foam milk.
If France's telecom titan can be pick-pocketed between order and espresso, ask yourself:
"What am I doing during the time it takes to steam a cappuccino?"
Verified Sources
- 1. Orange Business Services breach confirmation Orange press release, 7 Jun 2025
- 2. Warlock ransomware group leaks 4 GB of Orange data LeMagIT, 12 Jun 2025
- 3. 850k business customers notified BleepingComputer, 14 Jun 2025
- 4. SIM-swap fraud wave after data dump Le Figaro, 22 Jun 2025
- 5. CNIL opens GDPR investigation CNIL communiqué, 20 Jun 2025
Secure Your Customer Portals from Session Hijacking
Don't let stolen cookies become your company's downfall. Get a free portal security assessment to identify vulnerable session management and implement proper cookie defenses.