The war in the MIddle East started with kinetic response, which spilled over to the cyber realm. The impact had hit a medical supplies/manufacturer company named Stryker which had wide reaching impact. While it's easy to look into this from a corporate perspective, this opens up a new perspective into considerations of cybersecurity for all parties involved.
The hack
According to Checkpoint Security, Handala Hack is an online persona operated by Void Manticore, an actor affiliated ith Iranian Ministry of Intelligence and Security (MOIS). They seem to operate against a wide area of sectors including telecoms and government.
The following is based on VectraAI assessment. Specifically regarding the Stryker hack, Handala gained access into Stryker's network. Looking at the breakdown of the incident by Vectra AI, first stage is initial access through identity compromise. Valid credentials were then used to enter the network through remote access such as VPN. The next step is usually to escalate privilege. Once privilege escalation is done, the threat actor can then make changes in the environment which allows wider administrative capabilities.
Being in a new environment requires understanding the lay of the land. The threat actor now maps the new environment. This includes moving between systems using legitimate protocols such as RDP (since the attacker already has valid credentials). In order to be effective, more credentials is required, hence credential harvesting technique is deployed. This was done by dumping LSASS using comsvcs.dll via rundll32.exe.
Having footprint in a large organization involves a large amount of data to be processed. Scripting languages such as Powershell is often used to automate tasks within the environment which allows faster turn around time and result. And with the data now identified, this gives way to exfiltrate whichever data that is deemed important (from the perspective of attacker).
Now that the threat actor has achieved their objetives, the final part of the work is to clear any sign of intrusion. This is done through deploying a wiper. The wiper deployed was not the usual threat actor wiper.
It was Microsoft Intune, Microsoft's MDM solution.
The threat actor had the administrative privilege to issue a command to Microsoft Intune to trigger a remote wipe which forces a factory reset across all the onboarded devices. Devices needs to be registered/onboarded in order to be part of the environment.
Microsoft Intune had broadly 2 categories of devices under it's care. The first, being the fully managed devices. These are devices that are owned by the company and deployed specifically for company use. Second, being non-company owned devices, or user owned devices that are enrolled as part of "Bring Your Own Device" initiative. The users are given limited access into corporate facilities such as email and etc.
When the threat actor triggered the remote wipe, Microsoft Intune pushed the wipe not just to the company owned devices, but to the user owned devices as well. As a result, users who had enrolled in the BYOD program had their devices wiped clean. The blast radius went beyond the company and had hit the bystanders.
New security considerations
While cybersecurity teams now scurry to start securing their MDM environment, new set of concerns are emerging. These set of concerns are from the bystanders whose hit by the blast.
The users of BYOD.
The Stryker hack showed that even "lite" users of MDM are fair game and that MDM can cause ireeversible damage. While it's easy for organizations to quantify and justify the damage and make repairs to corporate devices, how will this be for personal devices? Some questions that now arise
- What happens if my device is affected by a company breach?
- How will the company ensure my devices are safe through BYOD?
- How can the company assure me that there will not be a privacy violation? If the threat actor can wipe my devices, reading my private messages/pictures wouldn't be difficult.
The stakeholder in productivity tools now have a louder say, looking at what has happened in the wild. Though this incident will most likely be tagged under "act of war", remember that threat actors don't need wars to pull the same stunt. IT and Security teams now have more work ahead. Companies have to now do more convincing to get users onboard.
In a not too long ago past, corporate users use to have Blackberry devices, which is company issued. Company had full control over the device including the data and it's capabilities which the user is allowed to use.
The core of the issue lies on the ownership of the devices.
Last words
This was a conversation between a new employee (NE) and HR as the new employee just joined the organization. Some may find this relevant in today's context.
HR: Welcome on board. As part of the role, you'd be required to be contactable.
NE: Noted, what is the organization providing for this requirement?
HR: We are providing RM100 claims on your mobile line.
NE: Any other benefits besides the RM100 claims?
HR: That's all.
3 months later...
HR: Hey, we need to have a conversation.
NE: Sure, go ahead.
HR: We have been getting feedbacks that you are unreachable during office hours.
NE: Is that so?
HR: That's based on the feedback we got.
picks up the phone, calls, and goes into voicemail
NE: Oh that.
takes out the SIM pack from the pocket and put it on the table
HR: What's this?
NE: This is the line that I have gotten for office line. It's paid as per the claims. Here's the receipts.
HR: How about the phone?
NE: The claims only cover the line, there isn't any phone benefits. I can't be contactable based on company's current approach.
HR: ...
Author: ORCID ID - Suresh Ramasamy: 0000-0003-4562-037X
This article is mirrored in Linkedin at https://www.linkedin.com/pulse/stryker-breach-mdm-ramasamy-cissp-cism-gcti-gnfa-gcda-cipm-6z6yc