- CISA warns US companies after Stryker Intune removal
- Urges stronger endpoint management configurations, least privilege, MFA, and multi-admin approvals
- FBI and Microsoft coordinate to counter Iranian hacktivists linked to Handala
The US Cybersecurity and Infrastructure Security Agency (CISA) urges companies in the country to strengthen the configurations of their endpoint management systems and avoid suffering the same fate as Stryker.
If you haven’t been paying attention, an Iranian hacking collective called Handala broke into Stryker, (allegedly) stole 50 terabytes of data, and then used a compromised Microsoft Intune administrator account to wipe nearly 80,000 of the company’s devices in just a few hours.
The company was literally forced to operate with pen and paper due to the severity of the disruption.
Article continues below.
Defense against Handala
Earlier this week, CISA issued a new alert, saying it is “aware of malicious cyber activity targeting endpoint management systems of US organizations based on the cyberattack against Stryker.” It urged companies to bolster their defenses using Microsoft’s recommendations and emphasized that it was coordinating with the FBI to identify additional threats.
Microsoft’s recommendations include:
- Using least privilege principles for administrator roles
- Use Intune role-based access control to assign the minimum necessary permissions
- Applying phishing-resistant multi-factor authentication
- Using Microsoft Login ID to block unauthorized access
- Configuring access policies to require approval from multiple administrators in Microsoft INtune
- Configure policies that require approval from a second administrator account for sensitive, high-impact changes
“The principles in these recommendations can be applied to Intune and, more broadly, other endpoint management software,” CISA added.
Although unconfirmed, many security researchers believe that the attack on Stryker is the result of US and Israeli aggression against Iran. Handala stated that in his operation “more than 200,000 systems, servers and mobile devices have been erased, and 50 terabytes of critical data have been extracted.”
The group is being described as “hacktivists linked to Iran’s Ministry of Intelligence and Security,” and primarily targets Israeli organizations around the world.
Through Bloomberg
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
