Filter articles

Weekly Cyber Briefing 13.10.2025

Weekly Cyber Briefing: 13 October 2025

Teenagers arrested after nursery cyber attack; Ransomware groups buddy up; Lapsus$ adopt new credential-purchasing tactics 

Author: Powered by S-RM

Cyber Intelligence Briefing: 13 October 2025

Powered by S-RM, the Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends, and indicators, curated by intelligence specialists.

UK education sector under threat: Two teenagers arrested following cyber attacks on nursery

Two teenagers have been arrested in connection with the recent spate of cyber attacks targeting a chain of London-based nurseries. The hackers attempted to extort their victims following their claims to have stolen addresses and images of approximately 8,000 children.

Concurrently, a recent report has shown the UK education sector is more likely to fall victim to cyber attacks than private businesses, with 6 out of 10 secondary schools having suffered an attack or breach over the past 12 months.

Assured’s CISO reacts:

The success of these arrests relies on comprehensive and preserved logging, effective forensics without compromising evidence, and ensuring chain of custody. If this isn’t an in-house capability, it’s where insurance and retainer response teams come into their own.

Cyber attacks targeting minors carry unique ethical, legal and reputational consequences, and emphasise that institutions caring for children must treat cybersecurity as a core duty.

RedHat continues to suffer extortion demands as new criminal partnerships evolve

The data breach of enterprise software giant Red Hat, previously compromised by the criminal gang Crimson Collective, has attracted the attention of cyber criminals ShinyHunters. ShinyHunters allowed Crimson Collective to use its leak site to persist with (unsuccessful) attempts to extort RedHat.

Separately, the ransomware operators LockBit, Qilin, and DragonForce announced a ‘strategic’ partnership, likely in an attempt to consolidate malicious activity and share their techniques, resources and infrastructure.

Assured’s CISO reacts:

The worry is that this collaboration may lead to a surge in attacks. This team-up coincides with Lockbit 5.0 which has a Windows variant, a new Linux variant and an ESXi variant for targeting VMware. There is some research on the IOCs from Trend Micro here, sharing that analysis between LockBit 4.0 and 5.0 reveals significant code reuse and evolutionary development, rather than a complete rewrite. Improvements include removed infection markers, faster encryption, and enhanced evasion from EDR, making LockBit 5.0 significantly more dangerous than its predecessors.

M1026 — Privileged Account Management (Platform: GPO / AD)

Why chosen: LockBit abuse commonly succeeds after privileged account misuse. Enforce least privilege and secure privileged account lifecycle via AD/GPO + LAPS.
Remove domain/local admin membership via Group Policy Restricted Groups + enforce privileged access workstations
  1. Restricted Groups GPO (Computer Configuration → Policies → Windows Settings → Security Settings → Restricted Groups):
    • Create a Restricted Group entry for Administrators (BUILTIN\Administrators) and only include explicit trusted groups, e.g.: CONTOSO\Privileged-LocalAdmins — do not add Domain Admins or vendor accounts directly. This removes other accounts from local admin.
  2. Enforce “Deny log on locally” and “Deny access to this computer from the network” for service/vendor accounts (Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment):
    • Deny log on locally add: CONTOSO\VendorServiceAcct and CONTOSO\ServiceAccounts SIDs.
    • Deny access to this computer from the network add same service account groups.
    • Use the following GPO preference script to set by SID for automation (example PowerShell executed via GPO‑startup script):
# Example: add a Deny log on locally ACE using ntrights (account name must exist)
# ntrights.exe is part of Windows Server 2003 Resource Kit or use secedit/group policy instead.
 

M1018 — User Account Management (Platform: GPO / AD)

Why: restrict use of vendor/third‑party accounts and ensure lifecycle and lockout settings to prevent reuse/abuse.
Set strict account lockout + Kerberos ticket settings via GPO (exact GPO/registry)
  • GPO path: Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies
    • Account lockout threshold = 5 (invalid logon attempts)
    • Account lockout duration = 30 minutes
    • Reset account lockout counter after = 15 minutes
  • Also deploy Kerberos ticket lifetime hardening (GPO: Computer Configuration → Policies → Administrative Templates → System → KDC or use AD user property):
    • Set Maximum lifetime for user ticket (Kerberos) to 4 hours (14400 seconds) via Group Policy Preferences registry override.
Disable local interactive and RDP logon for service/third‑party accounts via GPO (explicit User Rights)
  • GPO path: Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment
    • Deny logon through Remote Desktop Services — add CONTOSO\ServiceAccounts and DOMAIN\VendorAccountGroup.
    • Deny log on locally — add same groups.
  • Enforce via GPO linking to OUs where servers/ESXi management workstations exist; verify via gpresult /h on target hosts.

M1032 — Multi‑Factor Authentication (MFA) (Platform: Intune — device posture + device‑based requirement to reduce abuse of unmanaged tooling)

Note: full enforcement of MFA for identity sign‑ons requires Azure AD Conditional Access — here I provide Intune steps to enforce device‑based posture which pairs with CA; these Intune configurations create the device posture that Conditional Access will enforce (Intune is the precise mechanism to enforce device compliance settings on endpoints).

Create Intune Device Compliance policy that marks only managed devices as compliant (CSP / JSON payload)
  • Intune → Devices → Compliance policies → Create (Windows 10/11)
    • Require BitLocker: Enabled.
    • Require Device health attestation: Enabled.

M1049 — Antivirus / Antimalware (Platform: Intune — manage Defender and scripted preferences across Windows fleet)

Why chosen: Trend highlights new obfuscation and removed infection markers — strong endpoint control and controlled‑folder protection help block/mitigate LockBit encryption activity.
Deploy PowerShell Script via Intune to set Defender exclusions/controlled folder access and add detection hashes for immediate block (useful for quick IOC blocking)
  • Intune → Devices → PowerShell scripts — script:
# Enable Controlled Folder Access and add allowed folders/apps if needed
Set-MpPreference -EnableControlledFolderAccess Enabled
# Add protection for common data paths
Set-MpPreference -ControlledFolderAccessProtectedFolders @("C:\Users\","D:\Data")
# Add immediate block for known LockBit sample hashes (preliminary; Defender will pick up via Cloud too)
$hashes = @("7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82",
"180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38")
foreach ($h in $hashes) {
Add-MpPreference -ThreatIDDefaultAction_Ids $h -ThreatIDDefaultAction_Actions 6
}
# 6 = remove/quarantine (Defender internal numeric mapping)
  • Assign script to device group and require Run as 64‑bit and run with system so it applies on startup.
M1042 — Disable or Remove Feature or Program (SMBv1 / Legacy Protocols) (Platform: GPO)
Why chosen: Ransomware actors often abuse legacy protocols and lateral‑movement channels; explicitly disabling SMBv1 and other legacy services reduces lateral spread.
Step A — Disable SMBv1 on servers and endpoints via GPO registry preference (exact registry keys)
  • GPO (Computer Configuration → Preferences → Windows Settings → Registry):
    • Registry key to disable SMBv1 driver:
      • Path: HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10
      • Value: Start (DWORD) = 4
    • Registry key to disable the SMB1 Server component:
      • Path: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
      • Value: SMB1 (DWORD) = 0
Disable other legacy services commonly abused (Telnet, NetBIOS over TCP/IP) via GPO Service and registry preferences
  • Services (GPO: Computer Configuration → Policies → Windows Settings → Security Settings → System Services):
    • Set Telnet service Start = Disabled.
  • Registry to disable NetBIOS over TCP (for DHCP clients) via GPO registry:
    • Path: HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{GUID}
    • Value: NetbiosOptions (DWORD) = 2 (Disable NetBIOS over TCP/IP)
  • Enforce via GPO targeted at servers and endpoints; test in staging.

Lapsus$ adopt new credential-purchasing tactics

Lapsus$ have shifted their tactics, now openly attempting to purchase credentials from employees at companies with revenues above $500 million, of which there are around 1,500 firms of this size in the UK. Their primary targets include organisations in the telecom, software, gaming, data hosting, and call centre sectors.

This strategy has already been observed in action, such as the Discord–Zendesk compromise. In that case, the group reportedly offered €500 to individuals who could prove employment at a BPO (Business Process Outsourcing) company, with lump-sum payments in the thousands for providing initial access.

Assured’s CISO reacts:

We are seeing less time spent on social engineering in favour of buying their way in. For security teams, detections for unauthorised access (risky sign-ins), along with strong conditional access policies designed against this use case, and work flows for admin privilege escalations, are all key controls.

M1032 – Multi-factor Authentication (MFA)

Risk Addressed: Use of purchased credentials for unauthorized access without second factor.
Implementation Steps (Intune):
  • Step 1: Create a Conditional Access policy requiring MFA for sign-ins:
    New-AzureADMSConditionalAccessPolicy -DisplayName "MFA for All Admins" `
    -State "Enabled" `
    -Conditions @{
    "Users" = @{
    "IncludeRoles" = @("Global Administrator", "Privileged Role Administrator")
    }
    "SignInRiskLevels" = @("high", "medium")
    } `
    -GrantControls @{
    "Operator" = "AND"
    "BuiltInControls" = @("mfa")
    }
  • Step 2: Enforce strong MFA method using Authenticator app only:
    Set-MsolUser -UserPrincipalName admin@yourdomain.com -StrongAuthenticationMethods @(@{MethodType
M1026 – Privileged Account Management
Risk Addressed: Misuse of purchased credentials with elevated access.
Implementation Steps (Intune):
  • Step 1: Create Privileged Access Groups in PIM (Privileged Identity Management) and enable approval workflow:
    New-AzureADMSPrivilegedRoleSetting -ResourceId <directoryId> `
    -RoleDefinitionId <roleId> `
    -UserMemberSettings @{ApprovalRequired = $true; ApprovalRequiredDuration = "PT1H"}
  • Step 2: Disable persistent admin assignments via Just-In-Time (JIT) activation in PIM:
    Set-AzureADMSPrivilegedRoleSetting -Id <settingId> -UserMemberSettings @{MaximumActivationDurati
M1042 – Disable or Remove Feature or Program
Risk Addressed: Abuse of unmanaged tools/scripts after unauthorized access.
Implementation Steps (Intune):
  • Step 1: Block script execution via Intune Device Configuration:
    <Policy>
    <PolicyName>Disable PowerShell Scripts</PolicyName>
    <Platform>Windows10AndLater</Platform>
    <OmaSettings>
    <OmaUri>./Device/Vendor/MSFT/Policy/Config/PowerShell/ScriptExecution</OmaUri>
    <DataType>Integer</DataType>
    <Value>0</Value> <!-- 0 = Disabled -->
    </OmaSettings>
    </Policy>
  • Step 2: Block Windows Subsystem for Linux (WSL) to prevent tool side-loading:
    Add-WindowsCapability -Online -Name "Microsoft-Windows-Subsystem-Linux" -Remove
M1047 – Audit
Risk Addressed: Lack of visibility into high-risk or anomalous sign-ins from sold credentials.
Implementation Steps (Intune):
  • Step 1: Enable sign-in logging with conditional risk-based alerts:
    Set-AzureADMSIdentityProtectionUserRiskPolicy -IsEnabled $true `
    -UserRiskLevels @("high") -Actions @{EnableEmailNotification = $true}
  • Step 2: Create an automated Logic App to log and alert on “impossible travel” or multiple IP geolocation anomalies:
    "condition": "@greater(triggerBody()?['RiskLevel'], 2)"

Topics

Latest articles

Be an insider. Sign up now!