Cyber Intelligence Briefing: 29 September 2025

Assured’s CISO reacts:

We’ve always said there are three types of critical suppliers:

• 1: Suppliers with privileges (As we recently saw with TCS (allegedly) at M&S)
• 2: Suppliers that provide a critical app or service (As we recently saw with vMUSE with the airlines)
• 3: Suppliers that you trust with your sensitive data (As we’ve seen with Volvo)

The Harrods data breach sits in the third category. It appears that 430,000 records were lost, reportedly from a marketing list and therefore its CRM.

When you host sensitive details in a third-party system, it’s often not as easy as managing enrolment through AD groups, as the privileges are set in the system itself. Therefore, there are some key steps you must take:

• Limit the privileges of normal users
• Control the privileges of those with admin accounts
• Set permissions to prevent downloads except for a few permitted users
• Limit access to just trusted devices
• Monitor for large data downloads

DataCarry commonly leverages reverse tunnels and HTTP-tunnelling tools (e.g., Chisel or similar Go-based tunnelers) to evade egress controls and move data out of networks. Detection should focus on Go-compiled binaries that establish long-lived TCP/HTTP sessions or create SOCKS proxies. Additionally, attackers may push “clickbait” PDFs via SEO or advertising campaigns to entice users into launching downloads or visiting malicious websites.

Chisel often uses HTTP(S) with a Go user agent (Go-http-client/1.1) or long-lived HTTP POSTs. This Suricata rule looks for outbound HTTP sessions with that UA or obvious tunnel endpoints:

# Suricata rule — detect Go HTTP client UA to external hosts (suspicious tunnel client)

alert http any any -> $HOME_NET any (msg:”NET Suspicious Go-http-client outbound (possible chisel tunnel)”; http.user_agent; content:”Go-http-client/1.1″; nocase; flow:established,to_server; sid:2100001; rev:1; metadata:attack_tactic=exfiltration,confidence:10;)

Add this to your IDS and tune false positives (many benign Go clients exist; correlate with high data volumes or unknown destinations).

Tune your sigma (generic SIEM) rules (Splunk/Elastic translation available) to detect chisel.exe or long-lived processes created from unusual user temp directories whose parent is powershell.exe or cmd.exe

Ensure Sysmon config collects these events and forwards to SIEM:

• Sysmon EventID 3 (Network connection) — capture process hashes + destination IP/port.
• Sysmon EventID 11/12 (FileCreate / Directory create) — detect unusual executable drops in %TEMP%, %APPDATA%.
• Sysmon EventID 1 (Process create) — capture ParentImage, CommandLine, ImageLoaded.

Further advice includes:

• Use AppLocker to block unsigned Go binaries, specific filenames (such as chisel.exe), and executables running from %TEMP% and network shares.
• Import sample hashes from the MalwareBazaar tag:datacarry into your AV/EDR blocklists and SIEM IOC lists. (MalwareBazaar page is public.)
• Configure your email security solution to sandbox all PDFs that contain JavaScript, embedded files/attachments, or Launch actions.
• Use static PDF scanners to flag suspicious elements, such as the presence of /OpenAction, /Launch, /JS, /EmbeddedFile, or other suspicious streams.

Disable JavaScript execution in PDF readers company-wide (Acrobat Reader, Foxit, etc.) via registry or GPO.

• Example registry (for Adobe Reader):

HKLM\Software\Policies\Adobe\Acrobat Reader\10.0\FeatureLockDown\cScript = 0

• Use Attack Surface Reduction (ASR) rules to block rundll32, regsvr32, mshta, wscript, and cscript from launching out of context (e.g. from a PDF process).
• Example via Defender / Intune:

“ASR_Rules”: {“BlockRundll32FromFolder”: “Enabled”, “BlockMshtaFromFolder”: “Enabled“, “BlockOfficeScript”: “Enabled”}

Assured’s CISO reacts:

We are aware that vulnerabilities existed on the attack surface. Collins utilises end-of-life services that are publicly accessible, including Microsoft’s IIS 8.5 web server, GlassFish application server, and an Oracle Communications Messaging Server. While we can’t be sure these were used as part of the attack path, this reaffirms the need for companies to assess their external attack surface (which can be done with free tools, such as DNSDumpster and Shodan/Censys) and address end-of-life or vulnerable elements of their tech stack.

We know Hardbit4.0 was part of the attack tooling, provided by the Hardbit ransomware group. HardBit emerged in 2022 and utilises many of the TTPs also employed by various ransomware operators, including common images, fonts, and ransom notes, similar to those used by LockBit. They favour communication over the TOX messaging service and, interestingly, while they aim for financial gain via encryption extortion, they do not appear to have leak sites and hence do not resort to typical double extortion methods. 

The attack path is likely to start with brute-forcing RDP and SMB services before using credential theft tools (such as Mimikatz and NLBrute), and network discovery via utilities (such as Advanced Port Scanner), allowing the attackers to move laterally across the network by means of RDP. Encryption of the victim hosts is carried out by deploying HardBit, which is delivered using a known file infector virus called Neshta. HardBit is designed to disable Microsoft Defender anti-virus and terminate processes and services. Via its design and passphrase protection, it can evade detection and inhibit system recovery.

Step-by-step guide to Hardbit 4.0 detection and protection

The following configurations could help protect you from this variant of malware.

Prevent:

• Use SRP / WDAC to prevent bcdedit.exe execution from any location except System32 when run under the Administrator context.
• Use WDAC (Windows Defender Application Control) in Enforce mode. Configure a supplemental policy that denies executables from user profile temp paths.
• Configure a Group Policy to Control folder protection or audit/block registry writes to BCD/boot configuration.
• Use Device Guard / Credential Guard / HVCI to protect boot components from tampering by user-mode code, and to protect LSASS and Active Directory secrets from in-memory extraction (e.g., via Mimikatz).
• Deploy Local Administrator Password Solution (LAPS) so local admin passwords rotate per machine and are not reused.
• Use Windows Defender Tamper Protection (must be turned on, cannot be programmatically disabled). Enforce via Intune:

{

“OMA-URI”: “./Device/Vendor/MSFT/Policy/Config/Defender/TamperProtection”,

“DataType”: “Integer”,

“Value”: 1

}

• Use Local Security Policy / GPO to deny SERVICE_STOP and SERVICE_DELETE rights on critical protection services (e.g. WinDefend, Sense) for all but system accounts.
• Ensure SMB (445/139) is blocked from the internet and restricted internally to necessary segments.

Detect:

• Set EDR / SIEM rules to detect desktop wallpaper changes (e.g. Set-ItemProperty to registry key HKCU:\Control Panel\Desktop\Wallpaper) or classically via SystemParametersInfo API, combined with volume label modifications (SetVolumeLabelW or calls to kernel32!SetVolumeLabel) or mass icon changes (icon resource writes).
• Use Windows UI Automation/hooking (if your EDR supports it) to detect when an untrusted process calls CreateWindowExA / CreateWindowExW with dialogue classes or GetDlgItem, SetDlgItemText, GetWindowText immediately after process initialisation in non-standard paths.

Respond to:

• Execution of commands and registry changes: vssadmin delete shadows /all /quiet, wbadmin start backup, bcdedit /set {default} recoveryenabled No, bcdedit /set {bootmgr} displaybootmenu No, bcdedit /set {bootmgr} timeout 0, and WMI calls to disable VSS.
• Registry modifications in HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore (for backup/restore settings) or HKLM\SYSTEM\CurrentControlSet\Control\Session Manager (for recovery environment) with alerts.
• Assembly.Load(byte[]), Assembly.LoadFrom, or Reflection.Emit usage in processes originating from uncommon directories (e.g. %TEMP%, %APPDATA%\Local\Temp\*).
• .exe, .dll, .ps1, .cmd is executions from %TEMP% or user-writable paths (e.g. C:\Users\*\AppData\Local\Temp\*). For example, an EDR rule: if ProcessStart event where ParentPath is %USERPROFILE%\AppData\Local\Temp\* and ImagePath is *.exe / *.dll / *.net and ProcessSignature = unsigned then alert/block.
• ​Network scanning tools being downloaded or executed (e.g. advanced_port_scanner.exe, kportscan.exe) from URLs or via binaries.
• netstat -an scans, arp -a, mass port probing (SYN scans), or SMB brute-force traffic.
• Use of PsExec, wmic, winrs, and enter-pssession commands from endpoints not typically using them.

Assured’s CISO reacts:

To protect your staff from these attacks and respond fast to any detections, we recommend:

• Deny interactive / network logon for third‑party managed service account: GPO preference: Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment. Add the third‑party service/privileged accounts or service‑account security principals to Deny log on locally and Deny access to this computer from the network.
• Constrain privileged operations with constrained delegation & AD serviceAccount ACLs: For each privileged third‑party managed account object in AD, programmatically set msDS-AllowedToDelegateTo to empty and remove GenericWrite from childComputer objects.
• Require Managed Service Accounts (gMSA) + prevent local service account creation: Enforce via Group Policy Object: Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy to enable auditing for “Audit Other Account Management Events“ and “Audit Security System Extension”. Deploy a scheduled script (via GPO) that finds any local service accounts with names matching common third‑party patterns and converts them to disabled, logging details to central syslog/Windows Event forwarder.
• Lock down which computers can run services under external service accounts (service logon restriction): For every third‑party service account, set the msDS-AllowedToActOnBehalfOfOtherIdentity and AllowedToDelegateTo attributes to empty, and explicitly set the logonWorkstations attribute on the account to the approved hostnames only.
• Limit Software Installation / Execution Prevention and restrict web‑based content / DNS & Proxy Filtering (block SEO‑poisoned/sponsored ad landing pages and malvertising domains): Block known malicious domains and implement DNS‑based filtering at resolver level + push next‑hop DNS via GPO by maintaining a blocklist including the IOCs from Blackpoint (e.g., teams-install[.]top, teams-install[.]icu, team.frywow[.]com, nickbush24[.]com, etc.) and push to your organisation DNS resolver (BIND RPZ or Azure DNS Firewall / Cisco Umbrella). Then enforce enterprise proxy with content filtering and block ad networks used for malvertising; enforce via GPO proxy auto‑config (PAC) or WPAD disabled.
• EDR custom detection & block rules for the observed kill chain (rundll32.exe loading DLLs from %APPDATA%\Roaming\*, scheduled task CaptureService): Create EDR (Microsoft Defender for Endpoint or other) custom rule(s):
• Behavioural rule: if process rundll32.exe spawns and the command line includes a path under %APPDATA%\Roaming\ and the loaded DLL name matches CaptureService.dll (or any .dll in %APPDATA%), block execution and isolate the host.
• Configure EDR to block and remove (not just alert) on high‑confidence matches. This directly targets the osteR campaign artefacts. Reference Blackpoint IOC CaptureService scheduled task and CaptureService.dll