CISA urged U.S. organizations to follow Microsoft guidance to strengthen the Intune endpoint management tool after a cyberattack exploited the platform and wiped systems belonging to medical technology giant Stryker.
Microsoft Responds After Stryker Breach
Shortly after the incident, Microsoft published guidance to harden Intune administrative controls, following the breach at Stryker in an attack claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group.
Meanwhile, the attackers claim that they stole 50 terabytes of data before they used the built-in wipe command in Microsoft’s Intune cloud-based endpoint management tool to erase nearly 80,000 devices in the early morning of March 11.
“CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment,” the U.S. cybersecurity agency said on Wednesday.
“To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert.”
Key Security Recommendations for Intune and Endpoint Systems
Next, CISA’s recommendations apply to Microsoft Intune and other endpoint management software, requiring IT administrators to adopt a least-privilege approach for admin roles and assign only necessary permissions through role-based access control (RBAC).
In addition, administrators should enforce multi-factor authentication (MFA) and maintain strong privileged-access hygiene to block unauthorized access to sensitive actions in Intune. They should also rely on Microsoft Entra ID features, such as Conditional Access, risk signals, and MFA, while requiring multi-admin approval for critical changes, including device wipes, application updates, and RBAC modifications.
“When combined, these practices help you shift from relying on ‘trusted administrators’ toward building a more protected administration by design: least-privilege to contain impact, Microsoft Entra-based controls to ensure users are trusted and are who they say they are, and multi-admin approval to govern the changes that matter most,” Microsoft says.
Finally, Handala (also known as Handala Hack Team, Hatef, Hamsa), the group that claimed responsibility for the Stryker cyberattack, emerged in December 2023 as a hacktivist operation targeting Israeli organizations with Windows and Linux data-wiping malware.
Moreover, analysts have linked the group to Iran’s Ministry of Intelligence and Security (MOIS), and researchers recognize it for stealing and leaking sensitive data from compromised systems.
Source: BleepingComputer, Sergiu Gatlan
Read more at Impreza News
