{"id":15982,"date":"2026-03-19T23:46:19","date_gmt":"2026-03-19T23:46:19","guid":{"rendered":"https:\/\/newestek.com\/?p=15982"},"modified":"2026-03-19T23:46:19","modified_gmt":"2026-03-19T23:46:19","slug":"cisa-urges-it-to-harden-endpoint-management-systems-after-cyberattack-by-pro-iranian-group","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15982","title":{"rendered":"CISA urges IT to harden endpoint management systems after cyberattack by pro-Iranian group"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>The US is urging infosec leaders to harden their endpoint management system configurations after <a href=\"https:\/\/www.csoonline.com\/article\/4144523\/medical-giant-stryker-crippled-after-iranian-hackers-remotely-wipe-computers.html\" target=\"_blank\">last week\u2019s hack<\/a> of American medical supplies provider Stryker by pro-Iranian threat actor Handala.<\/p>\n<p><a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/03\/18\/cisa-urges-endpoint-management-system-hardening-after-cyberattack-against-us-organization\" target=\"_blank\" rel=\"noreferrer noopener\">The warning<\/a> from the US Cybersecurity and Infrastructure Security Agency (CISA) is principally for organizations using Microsoft Intune, a cloud-based unified endpoint management (UEM) service that Handala, known for multiple destructive wiping, data theft and data leak attacks, was reportedly able to compromise. But CISA said the defensive principles of its recommendations can be applied to any endpoint management software.<\/p>\n<h2 class=\"wp-block-heading\" id=\"top-issue-phishing-resistance\">Top issue: phishing resistance<\/h2>\n<p>The CISA advice is certainly \u201ctimely and appropriate,\u201d said <a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noreferrer noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute. \u201cIn my opinion, the top issue is implementing phishing-resistant authentication\u201d to protect logins.<\/p>\n<p>\u201cThis problem goes beyond the specific issue of mobile device management and is something IT leaders need to prioritize,\u201d he pointed out. \u201cWhile multi-factor authentication does solve many problems, not all MFA technologies are phishing-resistant. In particular, for cloud-based solutions, which are usually accessible to everybody, solid phishing-resistant authentication is a must-have.\u201d<\/p>\n<p>Organizations must also be careful when enrolling personal devices into corporate-managed endpoint solutions, he added. Only company-owned devices should be enrolled, to avoid disrupting personal devices, and enrolled devices should be dedicated to company business.<\/p>\n<h2 class=\"wp-block-heading\" id=\"hardening-endpoint-management-systems\">Hardening endpoint management systems<\/h2>\n<p>CISA advises IT leaders to:<\/p>\n<ul class=\"wp-block-list\">\n<li>use principles of least privilege access when designing administrative roles for endpoint management systems. For Intune systems, there is role-based access control limiting what actions a role can take, what users the actions are applied to, and which devices are covered;<\/li>\n<li>enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene. Intune users and others can take advantage of Microsoft Entra ID capabilities including conditional access, MFA, risk signals, and privileged access controls to block unauthorized access to Intune;<\/li>\n<li>configure access policies to require multi-admin approval for accessing and making changes to endpoint management systems.<\/li>\n<\/ul>\n<p>CISA also points Intune admins to these Microsoft documents: <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/intunecustomersuccess\/best-practices-for-securing-microsoft-intune\/4502117\" target=\"_blank\" rel=\"noreferrer noopener\">Best practices for securing Microsoft Intune<\/a>; <a href=\"https:\/\/learn.microsoft.com\/en-us\/intune\/intune-service\/fundamentals\/multi-admin-approval\" target=\"_blank\" rel=\"noreferrer noopener\">Use Access policies to implement Multi Admin Approval<\/a>, <a href=\"https:\/\/learn.microsoft.com\/en-us\/intune\/intune-service\/protect\/zero-trust-configure-security?toc=\/security\/zero-trust\/assessment\/toc.json&amp;bc=\/security\/zero-trust\/assessment\/toc.json\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Microsoft Intune for increased security<\/a>;\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/intune\/intune-service\/fundamentals\/role-based-access-control\" target=\"_blank\" rel=\"noreferrer noopener\">Role-based access control (RBAC) with Microsoft Intune<\/a> and\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/id-governance\/privileged-identity-management\/pim-deployment-plan\" target=\"_blank\" rel=\"noreferrer noopener\">Plan a Privileged Identity Management deployment<\/a>.<\/p>\n<p><a href=\"https:\/\/www.digicert.com\/blog\/author\/michael-smith\" target=\"_blank\" rel=\"noreferrer noopener\">Michael Smith<\/a>, field CTO at DigiCert, noted that while the CISA warning applies specifically to Microsoft Intune, there are many similar products that run as an administrator on endpoints.\u00a0These need\u00a0 escalated privileges because they make changes on the endpoint, which makes them powerful tools for IT. However, he added, that also makes them a target. Any compromise of these products could lead to compromise of the endpoints they manage.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-power-to-create-irreversible-damage\">The power to create \u2018irreversible damage\u2019<\/h2>\n<p>Stryker said the March 11 attack caused disruption to its order processing, manufacturing and shipping. However, Handala claims it was also able to remotely wipe thousands of employee devices.<\/p>\n<p><a href=\"https:\/\/www.stryker.com\/us\/en\/about\/news\/2026\/a-message-to-our-customers-03-2026.html\" target=\"_blank\" rel=\"noreferrer noopener\">In a March 15 update<\/a> Stryker said all connected, digital and life-saving technologies used by customers remain safe to use. \u201cThis event was contained to Stryker\u2019s internal Microsoft environment, and as a result it did not affect any of our products\u2014connected or otherwise,\u201d\u00a0the statement said. No ransomware or malware was deployed, the company added.<\/p>\n<p>In the Stryker incident, attackers hijacked a tool that companies trust every day, and used it to shut down operations on a global scale, commented <a href=\"https:\/\/arcticwolf.com\/resources\/author\/ismael-valenzuela\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ismael Valenzuela<\/a>, vice-president of threat intelligence at Arctic Wolf. \u201cBy abusing Microsoft Intune, they were able to remotely wipe more than 200,000 devices across 79 countries. The lesson is clear: no single login should ever have the power to cause irreversible damage,\u201d he said. <\/p>\n<p>\u201cDestructive administrative operations like device wipes, mass policy changes, or tenant\u2011wide updates must require multiple approvals,\u201d he added. \u201cNo one session, credential, or role should be able to take destructive action at scale without independent authorization. Organizations should immediately lock down endpoint management tools by tightly limiting admin access, enforcing multi\u2011party approvals, and continuously monitoring privileged activity so trusted platforms don\u2019t become single points of failure.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"endpoint-management-a-high-value-target\">Endpoint management a high-value target<\/h2>\n<p><a href=\"https:\/\/www.digitaldefence.ca\/company\/\" target=\"_blank\" rel=\"noreferrer noopener\">Robert Beggs<\/a>, head of Canadian incident response firm Digital Defence, said endpoint management systems have always been high-value targets because they are universally trusted and push configurations, scripts, and remote actions across an entire IT network.\u00a0<\/p>\n<p>\u201cAlthough the Stryker incident speaks to exploits of the Microsoft Intune application, similar products have been targeted in the past, including <a href=\"https:\/\/www.csoonline.com\/article\/570205\/how-to-prepare-for-the-next-solarwinds-like-threat.html\" target=\"_blank\">SolarWinds Orion<\/a> (2020), <a href=\"https:\/\/www.csoonline.com\/article\/570957\/supply-chain-attack-on-kaseya-remote-management-software-targets-msps.html\" target=\"_blank\">Kaseya VSA<\/a> (2021), and the Microsoft Exchange management interface (2021),\u201d he pointed out.\u00a0 \u201cAll of these attacks demonstrate that malicious actors recognize the value of attacking controls with the keys to the kingdom, rather than going after individual systems.\u201d<\/p>\n<p>He said that the following defenses against this kind of attack are frequently cited by experts: Employ least-privilege access and dual approval for major actions, ensure that strong identity controls are in place, employ micro segmentation and monitor for unusual administrative actions.<\/p>\n<p>Monitoring for administrative activity is especially critical with these types of attacks, Beggs added\u00a0 \u201cLook for activities such as admin actions after hours, or from unusual locations or IP addresses,\u201d he said.\u00a0\u201cValidate the creation of new admin roles or elevated privileges.\u00a0And baseline normal admin activities so that you can identify admins performing tasks that they usually don\u2019t do.\u201d<\/p>\n<p>Because endpoint management systems can push changes to thousands of devices at once, an unexpected script deployment could create new configuration profiles or execute unexpected actions to disable defenses or deploy malicious content, he noted. Signs of compromise include disabling of MFA, removal of security controls, removal of monitoring tools, changes to network access controls, and altered logging settings.<\/p>\n<p>\u201cThe most important question is, how quickly can you identify these actions,\u201d he said, \u201cand are you prepared to recover?\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"two-handala-sites-seized\">Two Handala sites seized<\/h2>\n<p>On Thursday, researchers at Flashpoint confirmed that the FBI had seized two Handala websites used for propaganda and releasing stolen data. One site now carries a statement saying the domain had been seized under a US court order. <a href=\"https:\/\/flashpoint.io\/blog\/destructive-activity-targeting-stryker-highlights-emerging-supply-chain-risks\/\" target=\"_blank\" rel=\"noreferrer noopener\">Flashpoint believes<\/a> Handala is associated with the Iranian regime, and is not an independent actor.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The US is urging infosec leaders to harden their endpoint management system configurations after last week\u2019s hack of American medical supplies provider Stryker by pro-Iranian threat actor Handala. The warning from the US Cybersecurity and Infrastructure Security Agency (CISA) is principally for organizations using Microsoft Intune, a cloud-based unified endpoint management (UEM) service that Handala, known for multiple destructive wiping, data theft and data leak&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15982\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15982","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15982","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15982"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15982\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15982"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}