Microsoft Intune MDM Gains Notoriety After Stryker Hack | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

See Also: Frost Radar™ on Healthcare IoT Security in the United States

The threat actor – widely suspected of being a front for Iranian intelligence – appears to have gained admin-level access to Stryker’s Active Directory, which it parlayed into issuing a “wipe” command. Handala claims it reset 200,000 devices to factory state (see: Medtech Firm Stryker Disrupted by Pro-Iran Hackers).

Many of its wiped devices were servers and laptops. But evidence suggests that tens of thousands of personal devices were also affected – devices enrolled by employees in the corporate “bring your own device program,” managed using Microsoft’s cloud-based Intune unified endpoint management service.

Multiple employees have recounted waking up in the morning to find their personal device had been wiped. Personal photos, voice notes, emails, messages – permanently gone, unless a user backed them up using non-corporate resources.

Chatter on Reddit suggests CISOs are questioning if they should ditch Intune, lest their organization next fall victim. Well-known security experts have suggested employees rebuff BOYD requirements whenever possible and demand a corporate-issued device.

“Intune can absolutely be configured to not have the ability to fully wipe a personal device. The feature is called Selective Wipe,” said James McMurry, CEO and founder of threat intel firm ThreatHunter.ai. If used, Selective Wipe means Intune can only delete the managed container, filled with corporate apps, emails, certificates and documents, he said.

“The catch is that getting there requires someone who actually knows the platform inside and out,” he said, which can be challenging given that such tools – the likes of Intune, Jamf, Workspace One, Kandji, Jamf – have an extensive number of settings, all of which must be set correctly.

“If the person configuring it does not have a deep understanding of every option they are choosing, they are going to take the path of least resistance and enroll devices under full device management. That is when you get a situation like Stryker,” he said.

That isn’t the only risk posed by a poorly configured MDM tool. “Honestly, it is also how you get accidental wipes during routine IT work. This is not just an attack surface problem. A misconfigured MDM is a liability every single day regardless of whether there is a threat actor involved,” he said.

Another problem for Stryker was everything else that Handala appeared to do first. ThreatHunter.ai said that on March 6, it notified its intelligence customers about the Iranian server used to preposition the early morning March 11 attack against Stryker

“The attackers also got into Stryker’s Rubrik environment and took out the backups before they executed the wipe. Rubrik is an immutable backup platform, meaning it is specifically built so backups cannot be deleted or modified. They did it anyway,” McMurry told Information Security Media Group.

Next, they executed the wipe with Intune. “There is the bigger architectural question nobody seems to be asking: Why could a single, compromised Global Administrator credential issue wipe commands to 200,000 devices with no second approval, no threshold alert, no FIDO2 challenge? That is the control that was missing,” McMurry said.

Based on how Stryker got hit, his company has published rules designed to help security teams spot and block the tactics employed. These include requiring multi-admin approval to issue any “wipe, retire and delete actions,” sounding an alarm if more than five wipes get issued in a 15-minute period from a single identity, as well as creating an “Intune Bulk Destructive Action” that requires an administrator to pass a FIDO2 check by using a hardware key to approve bulk wipes.

Stryker said it’s still working to recover its systems. It didn’t immediately respond to a comment about its approach to configuring Intune (see: Stryker Wiper Attack: Hackers Boast as Lawsuits Pile Up).