UBS and Scania data compromised in separate third-party security breaches | Cyber Intelligence Briefing: 23 June 2025

Assured’s vCISO reacts:

“Related to the insurance industry being a target of Scattered Spider, Asefa, the Madrid-based subsidiary of France’s leading mutual insurer SMABTP, confirmed they were a victim of a Qilin (also behind the Synovis attack) cyber attack that interrupted part of its IT infrastructure; Qilin claimed that it has exfiltrated over 200 gigabytes of data from the company. As a supplier, this including of FC Barcelona.”

Here’s my set of controls:

1. M1018) User account management – Restrict service account logon rights:

• • Navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  • Add all service accounts (e.g., svc_chainiq, svc_mspadmin) to this policy to prevent interactive logons.
• Limit service account permissions:
  • Use the Active Directory Users and Computers console.
  • For each service account, access the account properties.
  • Under the “Member Of” tab, ensure only necessary groups are assigned.
  • Remove any memberships that grant unnecessary privileges, such as Domain Admins.

2. M1038) Implement application whitelisting – Configure appLocker policies:

• • In Intune, create a Device Configuration Profile:
  • Navigate to: Endpoint Protection > AppLocker
  • Define rules to allow only approved applications by specifying allowed paths and publishers.
• Deploy Applocker policies:
  • Assign the configuration profile to the appropriate device groups.
  • Monitor the deployment status and ensure that only whitelisted applications can execute.

3. M1032) Enforce multi-factor authentication (mfa) for privileged accounts – Create conditional access policy:

• • In Azure AD, navigate to Security > Conditional Access
  • Create a new policy targeting privileged roles (e.g., Global Administrator, Exchange Administrator).
  • Under “Access controls,” select “Grant” and require multi-factor authentication.
• Assign policy to MSP accounts:
  • Identify all MSP-related accounts.
  • Include these accounts in a security group.
  • Apply the Conditional Access policy to this group to enforce MFA.

4. M1042) Restrict powershell execution to authorised users – Set powershell execution policy:

• • Navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.
  • Enable the policy “Turn on Script Execution” and set it to “Allow only signed scripts.”
• Restrict powershell access:
  • Create a GPO to define Software Restriction Policies.
  • Under Security Levels, set the default to “Disallowed.”
  • Create additional rules to allow PowerShell only for authorised groups or users.

5. M1030) Implement network segmentation for MSP access – Define IP security policies:

• • Navigate to: Computer Configuration > Windows Settings > Security Settings > IP Security Policies on Active Directory.
  • Create a new IP security policy that restricts traffic between MSP-managed systems and sensitive internal resources.
• Apply firewall rules:
  • Use Windows Defender Firewall with Advanced Security.
  • Create inbound and outbound rules to allow only necessary ports and protocols between MSP IP ranges and internal servers.

6. M1047) Enable comprehensive audit logging – Configure audit policy:

• • Navigate to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
  • Enable auditing for account logon events, object access, and privilege use.
• Set up log forwarding:
  • Use Event Forwarding to collect logs from MSP-managed systems.
  • Configure a central event collector server to receive and store logs for analysis and correlation.

7. M1050) Exploit protection – Enforce RDP access via jump box only

• • Create a GPO under Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules.
  • Define a rule allowing inbound TCP on port 3389 only from a dedicated jump server IP range (e.g., 10.50.0.0/24).
  • Block all other inbound RDP traffic by default to internal endpoints.
• Enable Network Level Authentication (NLA) for RDP:
  • Navigate to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
  • Enable the policy “Require user authentication for remote connections by using Network Level Authentication” and set it to “Enabled”.
  • This ensures MSP users must pass authentication before any session is established, reducing the attack surface.

16 billion user passwords leaked online in aggregated infostealer datasets

Security researchers have identified a data leak containing 16 billion passwords for various online services including Apple, Facebook, GitHub, and Google. The leak is an amalgamation of 30 old and new datasets and may contain some duplication, and other researches have played down its significance. The source of the leak is likely from infostealer malware, which is a kind of malicious software that steals sensitive information like passwords from end users’ devices.

[Researcher: James Tytler, S-RM]

Assured’s vCISO reacts:

“Looking at the types of attack steps that can lead to this incident, we’ve picked six MITRE ATT&CK mitigations. Each step includes a single, detailed configuration using either Group Policy Objects (GPO) or Microsoft Intune, selected based on technical depth.”

1. Users

• • Ensure MFA (easily done if already SSO’d) is enforced for all of your accounts. Take responsibility for your organisation’s security and inform your IT and security team If you are able to log in to work without being prompted for Multi Factor Authentication regularly.
  • Ensure you aren’t using the same passwords for work as you are for personal services, or re-using the same password across multiple of your services. Threat actors will attempt to use any passwords of yours they have been able to compromise from breaches.

2. For home (staff personal use)

• • Have unique passwords for all online accounts – use a password manager if possible.
  • Turn on MFA to their personal online accounts, including but no limited to Amazon, Google, Facebook, Telegram, Github and Apple.

3. For IT / Security Teams

• • I know personally that going through compromised credential feeds and resetting passwords off the back is a painful process due to the rate of false positives. You can test a free trial: https://pushsecurity.com/pricing/ which can monitor for credentials that are confirmed to be usable by an attacker, essentially “verified” stolen credentials. This prevents the time sink of validating what your attack surface is and instead, allows you to focus on what is actionable. A load of our clients are trialling this and we’re hearing great feedback, insurers love it also, so It will likely help with premiums.
  • I use it here so if you’d like a demo on how it all works please let me know.