- CISA warns US firms after Stryker Intune wipe
- Urges stronger endpoint management configs, least privilege, MFA, multi-admin approvals
- FBI and Microsoft coordinating to counter Handala-linked Iranian hacktivists
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging businesses in the country to harden their endpoint management system configurations and avoid suffering the same fate as Stryker.
If you haven’t been paying attention, an Iranian hacking collective called Handala broke into Stryker, (allegedly) stole 50 terabytes of data, and then used a compromised Microsoft Intune admin account to wipe almost 80,000 company devices in just a few hours.
The company was literally forced to operate on pen and paper due to the severity of the disruption.
Article continues below
Defending against Handala
Earlier this week, CISA issued a new alert, saying it is “aware of malicious cyber activity targeting endpoint management systems of US organizations based on the cyberattack against Stryker”. It urged businesses to bolster their defenses using Microsoft’s recommendations, and stressed it was coordinating with the FBI to identify additional threats.
Microsoft’s recommendations include:
- Using principles of least privileges for admin roles
- Using Intune’s role-based access control to assign minimum permissions necessary
- Enforcing phishing-resistant multi-factor authentication
- Using Microsoft Entra ID to block unauthorized access
- Configuring access policies to require Multi Admin Approval in Microsoft INtune
- Setting up policies that require a second admin account’s approval for sensitive and high-impact changes
“The principles of these recommendations can be applied to Intune and more broadly to other endpoint management software,” CISA added.
Although it is not confirmed, many security researchers believe the attack on Stryker is the result of US and Israeli aggression against Iran. Handala claimed that in its operation “over 200,000 systems, servers, and mobile devices have been wiped, and 50 terabytes of critical data have been extracted.”
The group is being described as “hacktivists linked to Iran’s Ministry of Intelligence and Security”, targeting mostly Israeli organizations around the world.
Via Bloomberg
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/gaGNk35XKYpmpPGJq8v2tU-2560-80.jpg
Source link
