CISA warned U.S. organizations to comply with Microsoft steering to strengthen the Intune endpoint administration device after a cyberattack exploited it to wipe medical expertise big Stryker’s techniques.
Microsoft revealed steering on hardening Intune administrative controls days after Stryker was breached in an incident claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group.
The hackers declare that they stole 50 terabytes of knowledge earlier than utilizing the built-in wipe command in Microsoft’s Intune cloud-based endpoint administration device to wipe practically 80,000 gadgets within the early morning of March 11.
As BleepingComputer was instructed by a supply acquainted with the incident, they carried out the assault utilizing a brand new World Administrator account created after compromising an administrator account.
Now, CISA urged all U.S. organizations to harden their Intune environments to make them extra resilient towards comparable assaults that would goal their very own networks.
“CISA is conscious of malicious cyber exercise concentrating on endpoint administration techniques of U.S. organizations based mostly on the March 11, 2026 cyberattack towards U.S.-based medical expertise agency Stryker Company, which affected their Microsoft atmosphere,” the U.S. cybersecurity company mentioned on Wednesday.
“To defend towards comparable malicious cyber exercise, CISA urges organizations to harden endpoint administration system configurations utilizing the suggestions and assets offered on this alert.”
CISA’s checklist of suggestions applies to Microsoft Intune and different endpoint administration software program, and it requires IT directors to make use of a least-privilege strategy for admin roles, assigning solely the required permissions by Microsoft Intune’s role-based entry management (RBAC).
Admins also needs to implement MFA and privileged-access hygiene to dam unauthorized entry to privileged actions in Intune (through Microsoft Entra ID options resembling Conditional Entry, threat alerts, and MFA) and require multi-admin approval for modifications to delicate actions, resembling system wipes, utility updates, and RBAC modifications.
“When mixed, these practices show you how to shift from counting on ‘trusted directors’ towards constructing a extra protected administration by design: least-privilege to comprise affect, Microsoft Entra-based controls to make sure customers are trusted and are who they are saying they’re, and multi-admin approval to manipulate the modifications that matter most,” Microsoft says.
Handala (also called Handala Hack Group, Hatef, Hamsa), the group that claimed accountability for the Stryker cyberattack, emerged in December 2023 as a hacktivist operation concentrating on Israeli organizations with Home windows and Linux data-wiping malware.
They’ve been linked to Iran’s Ministry of Intelligence and Safety (MOIS) and are identified for stealing and leaking delicate knowledge from compromised techniques.
Malware is getting smarter. The Pink Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
