One of the world leading medical device makers was crippled without a single line of malware. ๐
Disruption Alert ยท Attackers abused Microsoft Intune to wipe 80โ000 employee devices.
Investigation details released in the last 24 hours confirm that the attack on @[Stryker](urn:li:organization:1592) was an identity-based disruption campaign. After compromising an administrative accountโ the Iran-linked group Handala created a new Global Administrator in @[Microsoft](urn:li:organization:1035) Entra ID and used the wipe command in Intune to erase the fleet.
Nearly 80โ000 devicesโincluding corporate laptops and mobile devicesโwere wiped in a three-hour window. While medical products remain safeโ electronic ordering and shipping systems remain offline as the company focuses on manual replenishment for hospital customers.
The uncomfortable truth: Your centralized management tools are a double-edged sword; they provide massive efficiency for IT but can be weaponized for total operational destruction in minutes.
โ Enforce phishing-resistant MFA (FIDO2) for all accounts with Global Admin or Intune permissions.
โ Review your Entra ID logs for the creation of unauthorized administrative accounts over the last week.
โ Implement strict Conditional Access policies to prevent administrative actions from unknown IP blocks.
#Cybersecurity #IdentitySecurity #Intune #DisasterRecovery #SOC #CodeDefence