In the wake of a wave of cyber attacks over the past week, including an ongoing incident at medical technology firm Stryker, the US Cybersecurity and Infrastructure Security Agency (Cisa) has urged organisations to immediately harden their endpoint management system configurations against intrusion by Iran-linked threat actors and others.
The 11 March incident at Michigan-based Stryker targeted its Microsoft Intune endpoint management systems, and saw Microsoft devices wiped and data stolen, resulting in widespread disruption and, in some cases, knock-on effects for frontline healthcare services.
It was swiftly claimed by the Iranian hacktivist Handala operation as retaliation for the continued Israeli-US war on Iran.
Since then, Cisa said it has been working closely with its US partners, including the FBI, to identify further threats and risks to organisations.
“To defend against similar malicious activity that misuses legitimate endpoint management software, Cisa urges organisations to implement Microsoft’s newly released best practices for securing Microsoft Intune,” said Cisa in a statement.
“The principles of these recommendations can be applied to Intune and more broadly to other endpoint management software,” the agency added.
Organisations are advised to use Intune’s role-based access control features to enforce principles of least privilege, giving users the minimum permissions necessary to complete their day-to-day tasks; to rigorously enforce phishing-resistant multi-factor authentication and privileged access hygiene with Microsoft Entra; and to reconfigure Intune access policies to require the approval of multiple administrators for sensitive or high-impact actions.
Global peers
Keven Knight, CEO of Talion, said that Cisa’s guidance was applicable to, and anticipated similar alerts from, Cisa’s global peers – the UK’s National Cyber Security Centre (NCSC) has already published a wider cyber alert concerning the Iran war.
“What made the Stryker attack so damaging is that it wasn’t executed for money, its motivation was pure destruction, and unlike typical ransomware attacks, there was no option to pay the attackers and get the data back,” he said. “If backups were not in place, it essentially means game over and rebuilding everything from scratch.
“It’s safe to say that given the current geopolitical climate, these types of destructive attacks are going to be happening more frequently. Hardening endpoints, applying least privileged access, running frequent backups and having well-rehearsed incident response plans in place are all essential steps.
“These attacks are executed to inflict harm to countries and it’s vital organisations are prepared,” said Knight.
Tip of the iceberg
The attack on Stryker has been the most high-profile cyber incident of Iran’s retaliatory cyber war against the US – which attacked the oil-rich state just two days after talks over its nuclear programme edged closer to a landmark deal – however, according to observers, it may be the tip of a much larger iceberg.
Michael Smith, field chief technology officer at DigiCert, said he had tracked almost 4,500 total threats from 43 active groups, with the most prolific threat actors in the region launching hundreds of attacks each in the past few weeks. He said that by and large, these cyber attacks are designed to be intimidating rather than destructive.
“There are a lot more attacks happening that aren’t being reported,” said Smith. “We’ve seen lots of DDoS attacks against our customers that we’ve mitigated without causing an outage. We also monitor hacktivist chatter for indications and warnings, and that has been incredibly active.
“Attacks like this are a way of telling people in other countries that you can still reach out and touch them even though they’re on a different continent. That makes them more of an intimidation tactic.”
Kathryn Raines, Cyber Threat Intelligence team lead for the National Security Solutions team at Flashpoint, added: “Cyber activity tied to this conflict is becoming more focused on disruptive operations against organisations.
“Groups like Handala are amplifying claims of large-scale attacks, including data destruction and the exposure of sensitive information tied to both private companies and individuals. Even when some of these claims are difficult to verify, they still contribute to uncertainty and can have real downstream impact on trust, operations and response efforts.”
