One of the world leading medical device makers was crippled without a single line of malware. 🛑
Disruption Alert · Attackers abused Microsoft Intune to wipe 80‚000 employee devices.
Investigation details released in the last 24 hours confirm that the attack on @[Stryker](urn:li:organization:1592) was an identity-based disruption campaign. After compromising an administrative account‚ the Iran-linked group Handala created a new Global Administrator in @[Microsoft](urn:li:organization:1035) Entra ID and used the wipe command in Intune to erase the fleet.
Nearly 80‚000 devices—including corporate laptops and mobile devices—were wiped in a three-hour window. While medical products remain safe‚ electronic ordering and shipping systems remain offline as the company focuses on manual replenishment for hospital customers.
The uncomfortable truth: Your centralized management tools are a double-edged sword; they provide massive efficiency for IT but can be weaponized for total operational destruction in minutes.
→ Enforce phishing-resistant MFA (FIDO2) for all accounts with Global Admin or Intune permissions.
→ Review your Entra ID logs for the creation of unauthorized administrative accounts over the last week.
→ Implement strict Conditional Access policies to prevent administrative actions from unknown IP blocks.
#Cybersecurity #IdentitySecurity #Intune #DisasterRecovery #SOC #CodeDefence