Filter articles

General 23.06.2025

UBS and Scania data compromised in separate third-party security breaches | Cyber Intelligence Briefing: 23 June 2025

Author: Powered by S-RM

Cyber Intelligence Briefing: 23 June 2025

Powered by S-RM, the Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends, and indicators, curated by intelligence specialists.

UBS and Scania data compromised in separate third-party security breaches

A cyberattack targeting ChainIQ, a third-party supplier, resulted in a data breach impacting Swiss bank UBS. Although the bank claimed no client data was affected, threat actor group World Leaks (previously known as Hunters International) published data of around 130,000 UBS employees on the dark web, including the direct phone number of the UBS CEO.
Swedish manufacturer Scania also suffered a data breach as cyber criminals broke into the network of its third-party external IT partner and targeted insurance related documents.

[Researcher: Aditya Ganjam Mahesh, S-RM]

Assured’s vCISO reacts:

“Third party suppliers, in particular MSPs, have been central to recent cyber attacks/data breaches. Considering how to protect yourself when 3rd parties have significant access to data, your network and privileged accounts, we’ve picked…”

1. M1032) Enforce multi-factor authentication (mfa) for privileged accounts – Create conditional access policy:

    • In Azure AD, navigate to Security > Conditional Access
    • Create a new policy targeting privileged roles (e.g., Global Administrator, Exchange Administrator).
    • Under “Access controls,” select “Grant” and require multi-factor authentication.
  • Assign policy to MSP accounts:
    • Identify all MSP-related accounts.
    • Include these accounts in a security group.
    • Apply the Conditional Access policy to this group to enforce MFA.

2. M1042) Restrict powershell execution to authorised users – Set powershell execution policy:

    • Navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.
    • Enable the policy “Turn on Script Execution” and set it to “Allow only signed scripts.”
  • Restrict powershell access:
    • Create a GPO to define Software Restriction Policies.
    • Under Security Levels, set the default to “Disallowed.”
    • Create additional rules to allow PowerShell only for authorised groups or users.

3. M1030) Implement network segmentation for MSP access – Define IP security policies:

    • Navigate to: Computer Configuration > Windows Settings > Security Settings > IP Security Policies on Active Directory.
    • Create a new IP security policy that restricts traffic between MSP-managed systems and sensitive internal resources.
  • Apply firewall rules:
    • Use Windows Defender Firewall with Advanced Security.
    • Create inbound and outbound rules to allow only necessary ports and protocols between MSP IP ranges and internal servers.

4. M1047) Enable comprehensive audit logging – Configure audit policy:

    • Navigate to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
    • Enable auditing for account logon events, object access, and privilege use.
  • Set up log forwarding:
    • Use Event Forwarding to collect logs from MSP-managed systems.
    • Configure a central event collector server to receive and store logs for analysis and correlation.

5. M1050) Exploit protection – Enforce RDP access via jump box only

    • Create a GPO under Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules.
    • Define a rule allowing inbound TCP on port 3389 only from a dedicated jump server IP range (e.g., 10.50.0.0/24).
    • Block all other inbound RDP traffic by default to internal endpoints.
  • Enable Network Level Authentication (NLA) for RDP:
    • Navigate to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
    • Enable the policy “Require user authentication for remote connections by using Network Level Authentication” and set it to “Enabled”.
    • This ensures MSP users must pass authentication before any session is established, reducing the attack surface.

16 billion user passwords leaked online in aggregated infostealer datasets

Security researchers have identified a data leak containing 16 billion passwords for various online services including Apple, Facebook, GitHub, and Google. The leak is an amalgamation of 30 old and new datasets and may contain some duplication, and other researches have played down its significance. The source of the leak is likely from infostealer malware, which is a kind of malicious software that steals sensitive information like passwords from end users’ devices.

[Researcher: James Tytler, S-RM]

Assured’s vCISO reacts:

“Looking at the types of attack steps that can lead to this incident, we’ve picked five MITRE ATT&CK mitigations.”

1. M1032) Enforce MFA for all admin and third-party accounts – Conditional access policy for MFA enforcement:

    • In Microsoft Entra Admin Center > Entra ID > Conditional Access > Policies.
    • Create a policy “Require MFA for Admins and Third-Party Accounts”.
    • Assign to all users except break-glass accounts.
    • Grant control: “Require multifactor authentication”.
  • Configure MFA registration campaign:
    • Navigate toEntra ID > Protection > Authentication methods > Registration campaign
    • Enable registration prompts for users not enrolled in MFA.
    • Scope to all users or high-risk groups.

2. M1027) Implement strong password policies – Domain password policy settings:

    • GPO Path: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
    • Set:
      • Enforce password history = 24
      • Maximum password age = 60 days
      • Minimum length = 14 characters
      • Complexity requirements = Enabled
  • Force policy refresh:
    • Use a startup script or admin command
  • Deploy password policy verification:
    • Use of shadow SaaS not on SSO
    • Weak or breached passwords
    • Reused passwords across corporate and SaaS accounts

3. M1054) Eliminate local browser password storage – Disable built-in password manager:

    • Edge: Set Password Manager Enabled to False in Intune.
    • Chrome: Use ADMX-backed custom OMA-URI:
  • Force Azure AD SSO:
    • Configure Azure AD Enterprise SSO with Kerberos or NTLM.
    • Apply Conditional Access to mandate SSO over local credential storage.
  • Provide a password manager:
    • Only where SSO is not possible.
    • Enforce MFA and strong passwords to access.
    • Audit password sharing via manager.

4. M1027) Remove saved credentials from windows credential manager – Block vault storage:

    • GPO Path: Computer configuration > Administrative templates > System > Credentials delegation
    • Enable “Do not allow storage of passwords and credentials for network automation.
  • Purge Cached Credentials at Logon:
    • Deploy via GPO a logon script:
    • cmdkey /list | ForEach-Object {
      if ($_ -match “Target:”) {
      $target = ($_ -split “:”)[1].Trim();
      cmdkey /delete:$target
      }
      }

5. M1030) Implement threat intelligence-based egress filtering – Block known infostealer C2 hosts:

    • Import IOCs (e.g., from UK NCSC) into firewall or Defender for Endpoint.
    • Apply deny rules for known exfil domains and proxy servers.
  • Restrict egress by app and port:
    • GPO > Windows Defender Firewall:
      • Allow only trusted applications to use TCP 443/80.
      • Deny all EXE outbound from %APPDATA%, %TEMP%, %USERPROFILE%\Downloads.

Topics

Latest articles

Be an insider. Sign up now!