A suspected wiper attack against medtech giant Stryker has led much of the security community to examine the role of Microsoft Intune.
Stryker, a Portage, Mich.-based specialist in surgical equipment, was hacked last week in an attack that affected thousands of mobile devices and other systems.
The company, in a regulatory filing, confirmed the attack impacted its Microsoft environment and warned in a customer update that its electronic ordering systems remain unavailable.
An Iran-linked hacker tracked under the name Handala claimed credit for the attack, according to Check Point Research. The hacker claims to have stolen 50 terabytes of data and to have wiped information from thousands of servers and mobile devices in the process.
Researchers from Halcyon told Cybersecurity Dive the Stryker attack impacted all phones and workstations with an Intune base 64 string. Intune is normally used to push software or manage devices that are base-64 encoded, according to researchers.
The payload included remote wipe commands, which were used to delete data on all affected devices, according to Halycon.
In order to conduct such an attack, a hacker would need to obtain Intune administrator or global administrator privileges, researchers said.
Paddy Harrington, a senior analyst at Forrester, said the attack does not point to any inherent weakness in Microsoft Intune, but essentially utilizes living-off-the-land techniques to bypass existing security systems.
Source: Cybersecurity Dive