The US is urging infosec leaders to harden their endpoint management system configurations after last week’s hack of American medical supplies provider Stryker by pro-Iranian threat actor Handala. The warning from the US Cybersecurity and Infrastructure Security Agency (CISA) is principally for organizations using Microsoft Intune, a cloud-based unified endpoint management (UEM) service that Handala, known for multiple destructive wiping, data theft and data leak attacks, was reportedly able to compromise. But CISA said the defensive principles of its recommendations can be applied to any endpoint management software. Top issue: phishing resistance The CISA advice is certainly “timely and appropriate,” said Johannes Ullrich , dean of research at the SANS Institute. “In my opinion, the top issue is implementing phishing-resistant authentication” to protect logins. “This problem goes beyond the specific issue of mobile device management and is something IT leaders need to prioritize,” he pointed out. “While multi-factor authentication does solve many problems, not all MFA technologies are phishing-resistant. In particular, for cloud-based solutions, which are usually accessible to everybody, solid phishing-resistant authentication is a must-have.” Organizations must also be careful when enrolling personal devices into corporate-managed endpoint solutions, he added. Only company-owned devices should be enrolled, to avoid disrupting personal devices, and enrolled devices should be dedicated to company business. Hardening endpoint management systems CISA advises IT leaders to: use principles of least privilege access when designing administrative roles for endpoint management systems. For Intune systems, there is role-based access control limiting what actions a role can take, what users the actions are applied to, and which devices are covered; enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene. Intune users and others can take advantage of Microsoft Entra ID capabilities including conditional access, MFA, risk signals, and privileged access controls to block unauthorized access to Intune; configure access policies to require multi-admin approval for accessing and making changes to endpoint management systems. CISA also points Intune admins to these Microsoft documents: Best practices for securing Microsoft Intune ; Use Access policies to implement Multi Admin Approval , Configure Microsoft Intune for increased security ; Role-based access control (RBAC) with Microsoft Intune and Plan a Privileged Identity Management deployment . Michael Smith , field CTO at DigiCert, noted that while the CISA warning applies specifically to Microsoft Intune, there are many similar products that run as an administrator on endpoints. These need escalated privileges because they make changes on the endpoint, which makes them powerful tools for IT. However, he added, that also makes them a target. Any compromise of these products could lead to compromise of the endpoints they manage. The power to create ‘irreversible damage’ Stryker said the March 11 attack caused disruption to its order processing, manufacturing and shipping. However, Handala claims it was also able to remotely wipe thousands of employee devices. In a March 15 update Stryker said all connected, digital and life-saving technologies used by customers remain safe to use. “This event was contained to Stryker’s internal Microsoft environment, and as a result it did not affect any of our products—connected or otherwise,” the statement said. No ransomware or malware was deployed, the company added. In the Stryker incident, attackers hijacked a tool that companies trust every day, and used it to shut down operations on a global scale, commented Ismael Valenzuela , vice-president of threat intelligence at Arctic Wolf. “By abusing Microsoft Intune, they were able to remotely wipe more than 200,000 devices across 79 countries. The lesson is clear: no single login should ever have the power to cause irreversible damage,” he said. “Destructive administrative operations like device wipes, mass policy changes, or tenant‐wide updates must require multiple approvals,” he added. “No one session, credential, or role should be able to take destructive action at scale without independent authorization. Organizations should immediately lock down endpoint management tools by tightly limiting admin access, enforcing multi‐party approvals, and continuously monitoring privileged activity so trusted platforms don’t become single points of failure.” Endpoint management a high-value target Robert Beggs , head of Canadian incident response firm Digital Defence, said endpoint management systems have always been high-value targets because they are universally trusted and push configurations, scripts, and remote actions across an entire IT network. “Although the Stryker incident speaks to exploits of the Microsoft Intune application, similar products have been targeted in the past, including SolarWinds Orion (2020), Kaseya VSA (2021), and the Microsoft Exchange management interface (2021),” he pointed out. “All of these attacks demonstrate that malicious actors recognize the value of attacking controls with the keys to the kingdom, rather than going after individual systems.” He said that the following defenses against this kind of attack are frequently cited by experts: Employ least-privilege access and dual approval for major actions, ensure that strong identity controls are in place, employ micro segmentation and monitor for unusual administrative actions. Monitoring for administrative activity is especially critical with these types of attacks, Beggs added “Look for activities such as admin actions after hours, or from unusual locations or IP addresses,” he said. “Validate the creation of new admin roles or elevated privileges. And baseline normal admin activities so that you can identify admins performing tasks that they usually don’t do.” Because endpoint management systems can push changes to thousands of devices at once, an unexpected script deployment could create new configuration profiles or execute unexpected actions to disable defenses or deploy malicious content, he noted. Signs of compromise include disabling of MFA, removal of security controls, removal of monitoring tools, changes to network access controls, and altered logging settings. “The most important question is, how quickly can you identify these actions,” he said, “and are you prepared to recover?” Two Handala sites seized On Thursday, researchers at Flashpoint confirmed that the FBI had seized two Handala websites used for propaganda and releasing stolen data. One site now carries a statement saying the domain had been seized under a US court order. Flashpoint believes Handala is associated with the Iranian regime, and is not an independent actor. This article originally appeared on CSOonline .
Despite reconfiguring its planned Lanzador EV as a hybrid, Lamborghini hasn’t abandoned thoughts of a fully electric model
Don’t let anyone tell you that you need to fork out $1500+ for a quality smartphone.
Google LLC today released a new version of Stitch, an artificial intelligence tool that can generate user interfaces for websites and mobile apps. Shares of graphic design software maker Figma Inc. declined more than 4% on the news. The company’s namesake platform is the go-to choice for UI development projects. Building an interface involves more [...] The post Google upgrades its Stitch AI interface development tool appeared first on SiliconANGLE .
A short drama that fuses AI-native production with the creative supervision of one of Asia’s most accomplished directors has just become one of the fastest-growing pieces of content in Chinese streaming history — and the numbers are still accelerating. Feng Shui Master, produced by Shike Interactive and executive-produced by Stanley Tong, crossed 200 million cumulative [...]
One bold move could change the way you think about storage
BitcoinWorld Critical EU Warning: Urgent Halt to Energy Infrastructure Strikes Amid Middle East Supply Crisis BRUSSELS, Belgium – The European Union has issued a critical diplomatic warning calling for an immediate cessation of military strikes targeting energy and water infrastructure across conflict zones, particularly amid escalating Middle East supply risks that threaten global economic stability. This urgent appeal follows months of intensifying attacks on vital civilian facilities that have already [...] This post Critical EU Warning: Urgent Halt to Energy Infrastructure Strikes Amid Middle East Supply Crisis first appeared on BitcoinWorld .
Baby corn is essentially unfertilized young ears of corn. To harvest the speciality crop, farmers use costly detasseling to remove male flowers from corn plants before they shed pollen to fertilize the ears and develop seeds. Iowa State University corn breeders have found a promising alternative.
If you click on this link, you can watch our video on YouTube. Watching it on YouTube is very important to support us. “I’m making you work a bit, but it’s so I can earn from the video I put a lot of effort into. Please make sure [...]
Today marks a truly historic and momentous occasion in the realm of transdisciplinary diplomacy in our country. We gather here with a twofold purpose of profound national and global significance: the establishment of the Science Diplomacy Forum, and the launch of the volume Science Diplomacy: National, Regional and Global Approaches in a Changing World. This [...]
WhatsApp Business could potentially start charging users who want to link more than four devices to the same account in a future update.
A bug in Google Messages is causing severe battery drain and overheating on some devices. Here's a temporary fix while you wait for Google to push an update.
Redmi 10 Power Price in India: Redmi has launched its new smartphone Redmi 10 Power in India. The smartphone was launched along with Redmi 10A, on Wednesday, 20 April in India
The premium Alienware m15 R7 and m17 R5 highlight four new Ryzen-powered systems.
Apple is offering its new firmware update for the MagSafe accessory that promises to give you faster charging for the compatible iPhone models.
System apps with native call-recording functionality remain unaffected.
The OnePlus Nord 2T India launch may take place soon as the moniker has been spotted on the TDRA certification. The OnePlus Nord 2T's camera details have also been leaked. Here are the expected specifications of the device.
The iPhone 16 is likely to be the first Apple device to skip the camera notch.
Garena Free Fire Max redeem codes are 12-digit codes that are region-specific and can be used by players to gain an edge over rivals in every round of the battle royale game.
We are still not sure that no-charger policy will be limited to Narzo 50A Prime or it will be extended to other Realme budget, mid-segment and premium phones
