CISA Warns: Secure Microsoft Intune to Prevent Mass Device Wipes
▼ Summary
– CISA has warned companies to secure their employee device management systems after pro-Iran hackers attacked Stryker and mass-wiped thousands of its devices.
– The hackers misused Stryker’s Microsoft Intune system to remotely delete data from employee devices, causing global operational disruption.
– CISA advises that administrative accounts for such systems require a second approval for high-impact actions like wiping devices.
– Stryker confirmed the hack disrupted its network, affecting supply and ordering systems, but its medical devices remain operational.
– The hacktivist group Handala claimed responsibility for the attack, citing retaliation, and the FBI has since seized the group’s website.
A recent cyberattack targeting a major medical technology firm has prompted urgent warnings from federal authorities about securing corporate device management systems. The U. S. Cybersecurity and Infrastructure Security Agency (CISA) is advising organizations to immediately strengthen protections for platforms like Microsoft Intune, following a breach at Stryker Corporation. Pro-Iran hackers exploited network access to misuse the company’s endpoint management system, initiating a mass remote wipe of thousands of employee phones, tablets, and computers. This incident caused significant global operational disruption for the medical device manufacturer.
CISA issued specific guidance for network administrators in response to the attack. The agency recommends implementing strict controls on user accounts with access to mobile device management (MDM) systems. A critical safeguard involves requiring a second administrator’s approval for any sensitive or high-impact actions, such as remotely erasing devices. This multi-person authorization process can prevent a single compromised account from being used to inflict widespread damage across an entire fleet of corporate and employee-owned devices.
Stryker publicly confirmed the cyberattack on March 11, noting it led to a “global disruption” of its network. While the company stated that no malware or ransomware was deployed, reports indicate the hackers leveraged their unauthorized access to reach Stryker’s Intune administration dashboards. From there, they executed commands to delete data from tens of thousands of devices, including personal phones enrolled in the company’s management system. Stryker has since contained the incident and is working to restore affected systems, though its supply chain, ordering, and shipping operations reportedly remain offline with no public recovery timeline provided.
The hacktivist group Handala, which supports Iranian interests, claimed responsibility for the breach. They stated the attack was retaliation for a U. S. airstrike and claimed to have stolen large volumes of data from Stryker’s network, though they did not immediately substantiate this claim. In a related development, the FBI seized the group’s primary website. This event underscores a growing trend where threat actors move beyond data theft to directly sabotage business operations by weaponizing the very IT management tools designed to keep organizations secure.
(Source: TechCrunch)
