The US government has urged companies to better secure Microsoft Intune, an endpoint management tool that was abused in last week’s cyberattack against med-tech firm Stryker.
Handala, a group linked to Iran’s intelligence agency, claimed responsibility for the attack, which knocked some of the surgical equipment maker’s networks offline and continues to affect shipping and ordering systems.
Stryker has publicly said the attack affected its Microsoft environment, and a source familiar with the investigation confirmed to The Register that the attackers wiped employees’ devices using Intune.
Microsoft to date has declined to comment.
In a Wednesday security alert, the US Cybersecurity and Infrastructure Security Agency (CISA) said it is “aware of malicious cyber activity targeting endpoint management systems of US organizations” following the Stryker intrusion, and urged companies to follow Microsoft’s best practices for securing Intune.
Redmond published this guidance three days after the cyberattack.
Among the recommendations: Use principles of least privilege when designing administrative roles.
This can prevent someone who has breached Intune – as appears to be the case in the Stryker intrusion – from creating new admin accounts and using these to control employees’ access to internal systems and perform wipe commands.
Companies should use Intune’s role-based access controls to assign only the minimum permissions necessary to each role for complete day-to-day operations. ®
Click Here For The Original Source.
