Brinztech Alert: Data Exchanging Announcement is Detected for Coriolis

Dark Web News Analysis

A threat actor has posted an announcement on a known cybercrime forum, actively seeking to exchange a database they claim to possess from “Coriolis,” likely Coriolis Télécom, a French telecommunications company. The actor is not selling the data for cash but is looking to trade it for other stolen data, a common practice in the cybercrime economy. The post indicates that communication for the trade is to be conducted via Telegram.

This announcement is a strong indicator that a significant data breach at the company has already occurred. An offer to trade data implies the actor is confident in its value and is using it as a form of currency. For a telecommunications provider, a customer database is a highly valuable asset for other criminals, as it provides a direct toolkit for perpetrating a wide range of sophisticated fraud, including SIM swapping attacks.

Key Insights

This data exchange announcement highlights several critical and immediate threats:

• Strong Indication of a Confirmed Breach: A public offer to trade a specific company’s data is a very strong indicator that a data breach has already occurred. The actor is confident enough in the value of their stolen asset to use it as currency in the cybercrime underground.
• High Risk of Widespread Data Proliferation: Unlike a sale to a single buyer, a data trade often means the information will be distributed to multiple parties. This “shotgun blast” approach significantly increases the number of criminals who will gain access to the data, amplifying the risk of widespread fraud.
• A Toolkit for SIM Swapping and Telecom Fraud: As Coriolis is a telecommunications provider, its customer database is a goldmine for criminals specializing in SIM swapping attacks. With customer PII, an attacker can socially engineer customer service to take over a victim’s phone number, intercept 2FA codes, and subsequently drain their financial and cryptocurrency accounts.  

Mitigation Strategies

In response to this direct and public threat, Coriolis and its customers must be on high alert:

• For Coriolis: Assume a Breach and Investigate Immediately: Coriolis must operate under the assumption that they have been breached. This requires an immediate, top-priority forensic investigation to identify the scope of the compromise, determine what data was stolen, and plug the security hole.
• For Coriolis: Proactive Customer Communication and High-Alert on Fraud: The company has a critical responsibility under GDPR to transparently notify all of its customers about the potential breach. They must warn customers about the high risk of targeted phishing, social engineering, and, most importantly, SIM swapping attempts. Customer service staff must be placed on high alert for fraudulent account change requests.
• For Customers: Migrate Away from SMS-Based 2FA: All Coriolis customers should immediately enable the strongest possible security on their accounts. Critically, they should migrate any important accounts (banking, email, social media) that use SMS-based two-factor authentication to a more secure method like an authenticator app or a hardware security key.  

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com