Cyber Intelligence Briefing: 27 June 2025. SonicWall and ScreenConnect targeted in cyber attacks

Assured’s CISO reacts:

We often see reports of firewall vulnerabilities (e.g. Cisco, Ivanti or Fortinet). Criminals aim to find any way into the IT environment, so this week, we’ve seen attention on vulnerabilities for broader parts of the tech stack, coming from risks around unauthorised app installations. We find a vulnerability, build an exploit and execute. If you can have someone download an already-vulnerable app? The attackers are using ‘shift left’, so follow these steps to protect your organisation.

1. M1042) Disable or Remove Feature or Program:

• GPO:
• Restrict Installation of Unsigned Executables:
  • Navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • Set Devices: Prevent users from installing printer drivers to Enabled
  • This prevents the installation of drivers (and by extension, software) that are not signed by a trusted publisher.
• Enforce Application Control Policies:
  • Use Software Restriction Policies (SRP) to define allowed applications.
  • Navigate to: Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies
  • Set the default security level to Disallowedand create additional rules to allow only approved applications.

2. M1026 ) Privileged Account Management:

• Intune:
• Implement Credential Guard:
  • In Intune, navigate to: Endpoint security > Attack surface reduction
  • Create a policy to enable Windows Defender Credential Guard on all devices.
• Restrict Local Administrator Accounts:
  • Use Intune to configure Local User Group Membership policies.
  • Remove unnecessary users from the local administrators group

3. M1038) Execution Prevention:

• GPO:
• Enable AppLocker:
  • Navigate to: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker
  • Create rules to allow only signed and approved applications to execute.
• Configure Script Execution Policies:
  • Set PowerShell execution policies to AllSignedto ensure only signed scripts can run.
  • Use GPO to enforce this setting across all devices.

4. M1026) Remove All Users from Local Administrators Group:

• • Open: Group Policy Management Editor
  • Add: Domain group or user with managed privileges (e.g.,. DOMAIN\LAPS Admins)
• Enable Legacy Microsoft LAPS:
  • Configure the following policies:
  • Enable local admin password management: Enabled
  • Name of administrator account to manage: Administratoror custom local admin name.
  • Do not allow password expiration time longer than required by policy: Enabled
  • Password Settings: Length: 14, Complexity: Enabled
  • Password expiration (days): 30

5. M1054) Block execution of unsigned or untrusted installers; allow only signed software from trusted publishers:

• Create a WDAC Policy with Signed Publisher Rules:
  • On a reference system, open PowerShell as administrator.
  • Run: New-CIPolicy -Level SignedPublisher -Fallback Hash -FilePath "C:\WDAC\SignedPolicy.xml"
ConvertFrom-CIPolicy -XmlFilePath "C:\WDAC\SignedPolicy.xml" -BinaryFilePath "C:\WDAC\SignedPolicy.cip"
• Deploy Policy via Intune:
  • SGo toEndpoint Security > Attack surface reduction > Application Control
  • Create a WDAC policy and paste the base64 string from PolicyBase64.txt
  • Assign the policy to all user devices.