The recent cyberattack targeting medical device manufacturer Stryker has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to urge organizations to strengthen the security of their endpoint management systems. The incident, which involved the wiping of over 200,000 devices across 79 countries, underscores the potential for significant disruption when attackers exploit trusted tools. This incident highlights the critical need for robust cybersecurity practices, particularly around endpoint management, to protect against increasingly sophisticated threats.
Stryker, in a March 15th update, confirmed that the attack was contained within its internal Microsoft environment and did not compromise the safety or functionality of its medical devices. “This event was contained to Stryker’s internal Microsoft environment and as a result it did not affect any of our products—connected or otherwise,” the company stated. However, the disruption did lead to delays in shipping some personalized implants, causing some patient-specific cases scheduled for the week of March 16 to be rescheduled. The company is working to reconcile orders and resume normal operations, prioritizing patient care.
Attack Exploited Microsoft Intune
The attackers didn’t deploy traditional malware or ransomware, according to Stryker and security researchers. Instead, they compromised a trusted tool – Microsoft Intune – to remotely wipe devices. Ismael Valenzuela, vice-president of threat intelligence at Arctic Wolf, explained the severity of the situation. “By abusing Microsoft Intune, they were able to remotely wipe more than 200,000 devices across 79 countries,” Valenzuela said. “The lesson is clear: no single login should ever have the power to cause irreversible damage.”
CISA’s Recommendations for Enhanced Security
In response to the Stryker attack, CISA has issued guidance urging organizations to harden their endpoint management systems. The agency emphasizes the need to limit administrative access to these tools, enforce multi-party approvals for destructive actions, and continuously monitor privileged activity. Valenzuela echoed this sentiment, stating, “Destructive administrative operations like device wipes, mass policy changes, or tenant‑wide updates must require multiple approvals. No one session, credential, or role should be able to take destructive action at scale without independent authorization.”
Specifically, CISA recommends organizations implement the following measures:
- Least Privilege Access: Grant administrators only the minimum level of access necessary to perform their duties.
- Multi-Factor Authentication (MFA): Require MFA for all administrative accounts to add an extra layer of security.
- Multi-Party Approval: Implement a system requiring multiple approvals for any action that could cause significant disruption, such as device wipes or policy changes.
- Continuous Monitoring: Actively monitor privileged accounts for suspicious activity and investigate any anomalies promptly.
- Regular Audits: Conduct regular security audits of endpoint management systems to identify and address vulnerabilities.
The Role of Public-Private Partnership
Stryker has been actively collaborating with government agencies, including the White House National Cyber Director, FBI, CISA, DHA, HHS, and H-ISAC, throughout the incident. The company also noted the government’s efforts to seize domains linked to the purported threat actors. This collaboration highlights the importance of public-private partnerships in combating cyber threats, particularly those targeting critical infrastructure like healthcare. According to Stryker, protecting the healthcare ecosystem requires “extensive public-private partnership” and a commitment to sharing intelligence to strengthen resilience.
The attack on Stryker is not believed to be a ransomware incident, according to both the company and security researchers. Socradar.io confirms that Stryker’s public statements indicate the incident was contained to its internal Microsoft environment and did not involve ransomware or malware deployment.
The incident serves as a stark reminder that even organizations with robust security measures can be vulnerable to attack. The ability of attackers to exploit a trusted tool like Microsoft Intune demonstrates the need for a layered security approach and a constant vigilance against evolving threats. Organizations must prioritize securing their endpoint management systems and implementing the recommendations provided by CISA to mitigate the risk of similar incidents.
Stryker continues to work on restoring its systems and expects to provide further updates as the situation evolves. The company’s next update is anticipated in the coming days, focusing on the full restoration of systems supporting customers, ordering, and shipping.
Have thoughts on this story? Share your comments below, and please consider sharing this article with your network.
