Cyber Intelligence Briefing: 04 July 2025. Insider threats and Ransomware gang target German food aid charity

Assured’s CISO reacts:

Charities are often a target due to the sensitive data of vulnerable individuals and continual priority conversations to divert funds from frontline services to cyber protections. The attack group behind Deutsche Welthungerhilfe (WHH) are significantly more active in 2025, with 15 more victims compared to this stage in 2024. As a ransomware as a service, they employ known and repeatable tools, techniques and procedures, so we’ve looked into a set of tailored protections which would help:

1. M1032) Multi-Factor Authentication (MFA) for Remote Access:

• Threat Addressed: Rhysida actors exploit compromised VPN credentials lacking MFA to gain initial access. fortinet.com+4cisa.gov+4dailysecurityreview.com+4
• Enforce MFA for All Users:
  • powershell
    CopyEdit
  • New-ConditionalAccessPolicy -DisplayName "Require MFA for All Users" -Conditions @{ Users = @{ Include = "All" }; Applications = @{ Include = "All" } } -GrantControls @{ Operator = "OR"; BuiltInControls = @("Mfa") } -State "Enabled"
• Block Legacy Authentication Protocols:
  • powershell
    CopyEdit
  • New-AuthenticationPolicy -Name "Block Legacy Auth" -AllowBasicAuthPowershell $false -AllowBasicAuthWebServices $false  Set-User -Identity "AllUsers" -AuthenticationPolicy "Block Legacy Auth"

2. M1026) Privileged Account Management:

• Threat Addressed: Rhysida operators leverage valid accounts and escalate privileges using tools like ntdsutil.exe to dump credentials. picussecurity.com
• Restrict ‘Access this computer from the network’:
  • Navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
  • Set ‘Access this computer from the network’ to include only: Administrators, Remote Desktop Users, and specific service accounts.
• Implement Local Administrator Password Solution (LAPS):
  • Deploy LAPS to manage local administrator passwords securely.
  • Configure via GPO: Computer Configuration > Administrative Templates > LAPS
  • Set ‘Enable local admin password management’ to ‘Enabled’.

3. M1042) Disable or Restrict PowerShell:

• Threat Addressed: Rhysida uses PowerShell for execution, persistence, and defense evasion. trendmicro.com+3cybermaterial.com+3picussecurity.com+3
• Restrict PowerShell Execution Policy:
  • powershell
    CopyEdit
  • Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope LocalMachine.
• Disable PowerShell v2:
  • powershell
    CopyEdit
  • Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

3. M1047) Audit Credential Dumping Tools:

• Threat Addressed: Rhysida employs tools like taskmgr.exe and procdump to dump credentials from LSASS. fortinet.com
• Enable LSASS Protection:
  • Set registry key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to 1
• Configure Audit Policies:
  • powershell
    CopyEdit
  • Navigate to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking
  • Enable ‘Audit Process Creation’ and ‘Audit Process Termination’.picussecurity.com

4. M1053) Disable Unnecessary Scheduled Tasks:

• Threat Addressed: Rhysida establishes persistence using scheduled tasks like ‘Rhsd’. picussecurity.com
• GPO:
• Audit Scheduled Tasks:
  • Use Task Scheduler to review existing tasks.
  • Identify and disable tasks that are unnecessary or suspicious.
• Restrict Task Creation Permissions:
  • Navigate to: Computer Configuration > Windows Settings > Security Settings > File System
  • Add %SystemRoot%\System32\Tasks and set permissions to allow only Administrators and SYSTEM full control.

5. M1018) Disable Unnecessary Scheduled Tasks:

• Threat Addressed: Rhysida uses tools like PsExec and AnyDesk for lateral movement and remote access. dailysecurityreview.com+2cybermaterial.com+2trendmicro.com+2
• GPO:
• Implement Software Restriction Policies:
  • Navigate to: Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies
  • Create new policies to disallow execution of applications from %AppData%, %Temp%, and other user-writable directories.
• Configure AppLocker Rules:
  
  • Navigate to: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker
  • Create executable rules to allow only approved applications and block known malicious tools.

6. T1021.001) Remote Desktop Protocol (RDP):

• Mitigation: M1030 – Network Segmentation:

• Restrict RDP to Admin Subnet Only:

  • Create firewall rule in: Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules
  • Allow RDP only from specific IP ranges
• Set RDP Encryption to High Level:
  
  • Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Set client connection encryption level = High

7. T1486.001) Data Encrypted for Impact (Ransomware):

• Mitigation: M1057 – Data Backup:
• Configure Shadow Copy Settings:
  

  • Task Name: “DailyShadowBackup”
  • Action: vssadmin create shadow /for=C:
• Restrict vssadmin and wbadmin Tools:
  • Use SRP to block: %SystemRoot%\System32\vssadmin.exe and wbadmin.exe

Assured’s CISO reacts:

Privileged access should be a privilege and treated by the company as the highest level of risk. Whether its a disgruntled employee, account compromise or error, admin privileges should be authorised just-enough, just-in-time.

1. M1018) User Account Management:

• Ensure immediate revocation of access for suspended or terminated users:
• Automate Account Disabling:
  • powershell
    CopyEdit
  • Register-ScheduledTask -TaskName "DisableSuspendedUser" -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Disable-ADAccount -Identity 'USERNAME'")
• Enforce Immediate Logoff:
  • Configure a GPO to force logoff of users upon account disablement.
  • Navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • Set: Network security: Force logoff when logon hours expire to Enabled.

2. M1026) Privileged Account Management:

• Restrict and monitor privileged account usage:
• Just-In-Time (JIT) Access:
  • Integrate Azure AD Privileged Identity Management (PIM) to provide time-bound admin access.
  • Configure role settings to require approval and set maximum activation duration (e.g., 1 hour).
• Conditional Access Policies:
  • Create a policy in Intune to enforce MFA and device compliance for privileged roles.
  • Navigate to: Endpoint security > Conditional Access
  • Set conditions for roles like Global Administrator and require compliant devices and MFA.

3. M1042) Disable or Remove Feature or Program:

• Prevent unauthorised changes to authentication mechanisms:
• Restrict MFA Configuration Changes:
  • Use GPO to disable access to MFA settings for non-authorized personnel.
  • Navigate to: User Configuration > Administrative Templates > Control Panel
    Set: Prohibit access to Control Panel and PC settings to Enabled.
• Audit Changes to MFA Settings:
  • Enable auditing for changes to security group memberships and authentication policies.
  • Navigate to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management
  • Set: Audit Security Group Management to Success and Failure.

4. M1047) Audit:

• Monitor and detect unauthorized activities promptly:
• Enable Unified Audit Logs::
  • Ensure that Unified Audit Logging is enabled in Microsoft 365 compliance center.
  • Navigate to:UMicrosoft 365 compliance center > Audit
Verify that auditing is turned on for all users
• Set Up Alert Policies:
  • Create alert policies for activities like mass password resets or MFA changes.
  • Navigate to: Microsoft 365 compliance center > Alerts > Alert policies
  • Define conditions and set severity levels to trigger immediate notifications.