CISA urges U.S. orgs to secure Microsoft Intune systems after Stryker breach
CISA warned U.S. organizations to follow Microsoft guidance to strengthen the Intune endpoint management tool after a cyberattack exploited it to wipe medical technology giant Stryker's systems.
Microsoft published guidance on hardening Intune administrative controls days after Stryker was breached in an incident claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group.
The hackers claim that they stole 50 terabytes of data before using the built-in wipe command in Microsoft's Intune cloud-based endpoint management tool to wipe nearly 80,000 devices in the early morning of March 11.
Now, CISA urged all U.S. organizations to harden their Intune environments to make them more resilient against similar attacks that could target their own networks.
"CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment," the U.S. cybersecurity agency said on Wednesday.
"To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert."
CISA's list of recommendations applies to Microsoft Intune and other endpoint management software, and it requires IT administrators to use a least-privilege approach for admin roles, assigning only the necessary permissions through Microsoft Intune's role-based access control (RBAC).
Admins should also enforce MFA and privileged-access hygiene to block unauthorized access to privileged actions in Intune (via Microsoft Entra ID features such as Conditional Access, risk signals, and MFA) and require multi-admin approval for changes to sensitive actions, such as device wipes, application updates, and RBAC modifications.
"When combined, these practices help you shift from relying on 'trusted administrators' toward building a more protected administration by design: least-privilege to contain impact, Microsoft Entra-based controls to ensure users are trusted and are who they say they are, and multi-admin approval to govern the changes that matter most," Microsoft says.
Handala (also known as Handala Hack Team, Hatef, Hamsa), the group that claimed responsibility for the Stryker cyberattack, emerged in December 2023 as a hacktivist operation targeting Israeli organizations with Windows and Linux data-wiping malware.
They have been linked to Iran's Ministry of Intelligence and Security (MOIS) and are known for stealing and leaking sensitive data from compromised systems.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
FBI links Signal phishing attacks to Russian intelligence services
The FBI has issued a public service announcement warning that Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp in phishing campaigns that have already compromised thousands of accounts.
- March 20, 2026
- 04:45 PM
0
Oracle pushes emergency fix for critical Identity Manager RCE flaw
Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager tracked as CVE-2026-21992.
- March 20, 2026
- 02:48 PM
- 0
Police take down 373,000 fake CSAM sites in Operation Alice
An international law enforcement action called Operation Alice has shut down over 373,000 dark web sites that offered fake CSAM packages.
- March 20, 2026
- 01:19 PM
- 0
CISA orders feds to patch max-severity Cisco flaw by Sunday
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22.
- March 20, 2026
- 11:09 AM
- 0
How CISOs Can Survive the Era of Geopolitical Cyberattacks
Geopolitical tensions are driving destructive cyberattacks designed to disrupt operations, not demand ransom. CISOs must limit lateral movement and contain breaches to reduce the impact of wiper campaigns.
- March 20, 2026
- 10:01 AM
- 0
This refurbished Surface Pro 6 is travel-friendly and on sale for $230
This refurbished Surface Pro 6 is available for just $229.99 (MSRP $849.99) for a limited time. With its slim design and reliable specs, it's a practical option for anyone who wants a portable Windows device without spending a fortune.
- March 20, 2026
- 07:12 AM
- 0
Musician admits to $10M streaming royalty fraud using AI bots
North Carolina musician Michael Smith has pleaded guilty to collecting over $10 million in royalty payments through a massive streaming royalty fraud scheme on Spotify, Apple Music, Amazon Music, and YouTube Music.
- March 20, 2026
- 05:33 AM
- 1
International joint action disrupts world’s largest DDoS botnets
Authorities from the United States, Germany, and Canada have taken down Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets to infect Internet of Things (IoT) devices.
- March 20, 2026
- 04:05 AM
- 0
Microsoft: March Windows updates break Teams, OneDrive sign-ins
Microsoft says the March Windows 11 update breaks sign-ins with Microsoft accounts across multiple Microsoft apps, including Teams and OneDrive.
- March 20, 2026
- 03:33 AM
- 0
Ex-data analyst stole company data in $2.5M extortion scheme
A North Carolina man was found guilty of extorting a D.C.-based technology company while still being employed as a data analyst contractor.
- March 20, 2026
- 02:57 AM
- 0
Navia discloses data breach impacting 2.7 million people
Navia Benefit Solutions, Inc. (Navia) is informing nearly 2.7 million individuals of a data breach that exposed their sensitive information to attackers.
- March 19, 2026
- 04:43 PM
- 0
