CISA urges companies to bolster Microsoft Intune systems after Stryker cyberattack

The Cybersecurity and Infrastructure Security Agency, or CISA, issued an alert urging U.S. organizations to strengthen their endpoint management systems following the recent cyberattack on medical technology company Stryker. 

Stryker experienced a global network disruption beginning on March 11, after a cyberthreat actor gained access to its Microsoft environment. According to Check Point Research, the cyberattack was carried out by Iran-linked hacking group Handala.  

Cisco Talos Intelligence Group said in a blog post that the cyberthreat actors likely gained access to Stryker's Microsoft Intune management console. Once inside, the bad actors reportedly used the platform's native remote wipe feature to reset connected corporate devices, causing data loss and disruption without the need for traditional wiper malware.  

Stryker said in an update to customers that the attack did not involve ransomware. 

CISA's advice for securing endpoint management software

Both Stryker and Microsoft contributed to CISA's alert, which outlined best practices for securing Microsoft Intune.  

"The principles of these recommendations can be applied to Intune and more broadly to other endpoint management software," CISA said. 

CISA and Microsoft emphasized the importance of applying the principle of least privilege when designing administrative roles. Microsoft Intune offers role-based access control (RBAC), enabling organizations to assign the minimum permissions necessary to each role to support day-to-day operations, CISA said. 

Other key best practices include enforcing phishing-resistant multifactor authentication, blocking unauthorized access to privileged actions and configuring access policies that require a second administrative account's approval to allow changes to sensitive actions, such as device wiping.  

Microsoft posted similar guidance on its own site, stressing that implementing these best practices can help organizations shift from relying on "trusted administrators" toward "building a more protected administration by design." 

"If you're looking for a place to start, here are a few quick steps: start with a quick wins pass - inventory broad, standing Intune role assignments and replace them with least-privilege RBAC roles," Microsoft stated.  

"Enforce Conditional Access and adopt phishing-resistant multifactor authentication for all admin scenarios; and place Intune RBAC role management, device wipe, script deployment behind multi-admin approval." 

Stryker continues restoration efforts

In a March 15 update, Stryker said the incident had been contained, and the company is moving forward in the restoration process. 

"All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use," the company said in an update to customers posted on its website.  

"This event was contained to Stryker's internal Microsoft environment, and as a result it did not affect any of our products -- connected or otherwise." 

Stryker said that it is safe for customers to communicate with Stryker personnel via phone or email. Connected beds and stretchers were not impacted by the cyberattack, as they have their own security protocols and operate independently of the Stryker network. 

Stryker is now working to bring its electronic ordering systems back online. 

"In the meantime, your Stryker Sales Representatives will be working with you and your distributors directly in an effort to bring you replenishment product through manual ordering where that option exists," Stryker said. "Orders placed prior to the disruption will be reconciled as systems are restored, and electronic orders placed during the disruption will process once systems are back online, and supply is flowing normally." 

Jill Hughes has covered health tech news since 2021.