Secure endpoint management systems immediately, CISA urges

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that the cyberattack on Stryker Corporation serves as a signal to U.S. organizations that foreign cyber activity tied to Middle East conflicts may be spilling into their operations.

Attackers breached Stryker’s internal Microsoft environment and reportedly wiped 200,000 systems, servers, and mobile devices, while extracting 50 terabytes of data.

To defend against similar malicious activity involving the misuse of legitimate endpoint management software, CISA urges organizations to implement Microsoft’s best practices for securing Microsoft Intune and apply the same principles to other endpoint management platforms.

The agency recommends using least privilege when designing administrative roles, limiting access through role-based controls, and enforcing phishing-resistant MFA. It also advises using Microsoft Entra ID capabilities to block unauthorized access to privileged actions in Microsoft Intune.

“Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc,” CISA added.

CISA said it is collaborating with federal partners, including the FBI, to identify potential threats and determine mitigation actions.