Cyber Intelligence Briefing: 08 Sep 2025.

Assured’s CISO reacts:

Rey, formerly known as Hikki-Chan, is a central figure in the HELLCAT cybercrime network, which has repeatedly exploited stolen Jira credentials for initial access, including at Jaguar Land Rover (JLR) and Schneider Electric SE. When JLR was hit, the company moved quickly, shutting down systems proactively and instructing staff not to come to work, which caused production disruption but likely limited deeper damage. The transparent communication, rapid public statement, and disciplined crisis response suggest JLR had a mature playbook in place and executed it effectively, minimizing the overall impact.

Let’s dive into HELLCAT, with some detection and protection measures:

1. Monitor PowerShell-based Infection Chains
   • Hellcat uses multi-stage PowerShell scripts (e.g., S1.ps1, Payload.ps1, Isma.ps1, Shellcode.ps1) to evade defenses, load payloads in memory, and establish C2 via SliverC2 (Stager.woff) picussecurity.com.
   • Action: Develop detection rules in SIEM or EDR to alert on:
     • PowerShell child processes launched from unusual parent contexts.
     • Execution of scripts with suspicious names like s1.ps1, payload.ps1, isma.ps1, or shellcode.ps1.
     • Use of reflective loading or AMSI bypass techniques.
   • Tag these detections with MITRE ATT&CK: T1059.001 (PowerShell), T1564.002 (Obfuscated Files or Information), T1055 (Process Injection).
2. Suspicious Exfiltration and Hosting Locations
   • Hellcat exfiltrates data via SFTP and cloud services, hosting payloads on open directories with low detection rates BridewellSOC Prime.
   • Action:
     • Monitor for large outbound transfers over SFTP or cloud storage that originate from endpoints not typically used for data export.
     • Alert on or block connections to suspicious IPs and domains (e.g., 154[.]16[.]16[.]189, 185[.]247[.]224[.]8, 45.200.148[.]157) Bridewell.

   • Map: T1041 (Exfiltration Over C2 Channel), T1567 (Exfiltration Over Web Service), T1105 (Ingress Tool Transfer).

3. Compromised Jira Credentials from Infostealer Logs
   • Hellcat frequently uses credentials stolen from infostealers targeting Jira servers. Recent breaches include HighWire Press, Asseco, LeoVegas, Racami InfoStealers.
   • Action:
     • Monitor for anomalous logins to Jira (e.g., impossible travel, logins from different geolocations, use of legacy credentials).

     • Detect unusual data exports or administrative actions in Jira.

4.  Restrict use of PowerShell: Apply CLM via OMA-URI Policy via Intune
   • Create a custom configuration profile using the following settings:
   • Name: Enforce CLM for PowerShell
OMA-URI: ./Vendor/MSFT/Policy/Config/PowerShell/ExecutionPolicy
Data Type: String
Value: ConstrainedLanguage

   • This enforces Constrained Language Mode across the device. Make sure you assign this only to devices where you do not require full language mode for legitimate tasks.
   • Deploy a script with this content:
   • Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -NoRestart

   • Add this as a PowerShell script deployment in Intune (Device > Scripts > Windows 10 and later). Ensure script runs in system context for proper application.

Assured’s CISO reacts:

In addition to the fine, Disney are applying changes to ensure videos are labelled correctly. The approach from the FTC seems comparable to the UK’s Information Commissioner’s Office (ICO), reinforcing the need to take seriously warnings from regulators and act quickly. Evidence suggests that the ICO are pragmatic, offering advice and considering the effort applying to controls but come down harder when not listened too.

Equally relevant is the need to consider privacy responsibilities beyond your own ecosystem to anywhere data collection is happening. If via a 3^rd party, like in this case, the consent and processing rules need applying as they would on your own website and the privacy statement should reflect the processing arrangements. Worthy considerations for CISOs wearing the DPO hat and CISOs from understanding where data is being collected from.