The US is urging infosec leaders to harden their endpoint management system configurations after last week’s hack of American medical supplies provider Stryker by pro-Iranian threat actor Handala.
The warning from the US Cybersecurity and Infrastructure Security Agency (CISA) is principally for organizations using Microsoft Intune, a cloud-based unified endpoint management (UEM) service that Handala, known for multiple destructive wiping, data theft and data leak attacks, was reportedly able to compromise. But CISA said the defensive principles of its recommendations can be applied to any endpoint management software.
Top issue: phishing resistance
The CISA advice is certainly “timely and appropriate,” said Johannes Ullrich, dean of research at the SANS Institute. “In my opinion, the top issue is implementing phishing-resistant authentication” to protect logins.
“This problem goes beyond the specific issue of mobile device management and is something IT leaders need to prioritize,” he pointed out. “While multi-factor authentication does solve many problems, not all MFA technologies are phishing-resistant. In particular, for cloud-based solutions, which are usually accessible to everybody, solid phishing-resistant authentication is a must-have.”
Organizations must also be careful when enrolling personal devices into corporate-managed endpoint solutions, he added. Only company-owned devices should be enrolled, to avoid disrupting personal devices, and enrolled devices should be dedicated to company business.
Hardening endpoint management systems
CISA advises IT leaders to:
use principles of least privilege access when designing administrative roles for endpoint management systems. For Intune systems, there is role-based access control limiting what actions a role can take, what users the actions are applied to, and which devices are covered;
enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene. Intune users and others can take advantage of Microsoft Entra ID capabilities including conditional access, MFA, risk signals, and privileged access controls to block unauthorized access to Intune;
configure access policies to require multi-admin approval for accessing and making changes to endpoint management systems.
CISA also points Intune admins to these Microsoft documents: Best practices for securing Microsoft Intune; Use Access policies to implement Multi Admin Approval, Configure Microsoft Intune for increased security; Role-based access control (RBAC) with Microsoft Intune and Plan a Privileged Identity Management deployment.
Michael Smith, field CTO at DigiCert, noted that while the CISA warning applies specifically to Microsoft Intune, there are many similar products that run as an administrator on endpoints. These need escalated privileges because they make changes on the endpoint, which makes them powerful tools for IT. However, he added, that also makes them a target. Any compromise of these products could lead to compromise of the endpoints they manage.
The power to create ‘irreversible damage’
Stryker said the March 11 attack caused disruption to its order processing, manufacturing and shipping. However, Handala claims it was also able to remotely wipe thousands of employee devices.
In a March 15 update Stryker said all connected, digital and life-saving technologies used by customers remain safe to use. “This event was contained to Stryker’s internal Microsoft environment, and as a result it did not affect any of our products—connected or otherwise,” the statement said. No ransomware or malware was deployed, the company added.
In the Stryker incident, attackers hijacked a tool that companies trust every day, and used it to shut down operations on a global scale, commented Ismael Valenzuela, vice-president of threat intelligence at Arctic Wolf. “By abusing Microsoft Intune, they were able to remotely wipe more than 200,000 devices across 79 countries. The lesson is clear: no single login should ever have the power to cause irreversible damage,” he said.
“Destructive administrative operations like device wipes, mass policy changes, or tenant‑wide updates must require multiple approvals,” he added. “No one session, credential, or role should be able to take destructive action at scale without independent authorization. Organizations should immediately lock down endpoint management tools by tightly limiting admin access, enforcing multi‑party approvals, and continuously monitoring privileged activity so trusted platforms don’t become single points of failure.”
Endpoint management a high-value target
Robert Beggs, head of Canadian incident response firm Digital Defence, said endpoint management systems have always been high-value targets because they are universally trusted and push configurations, scripts, and remote actions across an entire IT network.
“Although the Stryker incident speaks to exploits of the Microsoft Intune application, similar products have been targeted in the past, including SolarWinds Orion (2020), Kaseya VSA (2021), and the Microsoft Exchange management interface (2021),” he pointed out. “All of these attacks demonstrate that malicious actors recognize the value of attacking controls with the keys to the kingdom, rather than going after individual systems.”
He said that the following defenses against this kind of attack are frequently cited by experts: Employ least-privilege access and dual approval for major actions, ensure that strong identity controls are in place, employ micro segmentation and monitor for unusual administrative actions.
Monitoring for administrative activity is especially critical with these types of attacks, Beggs added “Look for activities such as admin actions after hours, or from unusual locations or IP addresses,” he said. “Validate the creation of new admin roles or elevated privileges. And baseline normal admin activities so that you can identify admins performing tasks that they usually don’t do.”
Because endpoint management systems can push changes to thousands of devices at once, an unexpected script deployment could create new configuration profiles or execute unexpected actions to disable defenses or deploy malicious content, he noted. Signs of compromise include disabling of MFA, removal of security controls, removal of monitoring tools, changes to network access controls, and altered logging settings.
“The most important question is, how quickly can you identify these actions,” he said, “and are you prepared to recover?”
Two Handala sites seized
On Thursday, researchers at Flashpoint confirmed that the FBI had seized two Handala websites used for propaganda and releasing stolen data. One site now carries a statement saying the domain had been seized under a US court order. Flashpoint believes Handala is associated with the Iranian regime, and is not an independent actor.
No Responses