Handala claims credit: The Handala threat group quickly claimed responsibility for the attack. While the group’s involvement is just a claim for now, Stryker employees reportedly saw a version of the Handala logo a cartoon of a Palestinian boy with his back turned and hands crossed behind him on affected devices.Handala’s identity is hard to ascertain. Palo Alto has connected it to Iran’s Ministry of Intelligence and Security (MOIS) via a second identity, Void Manticore. Other security vendors use different names, including Banished Kitten, and Storm-842.The group’s political motivation is less mysterious. In a website statement, the group styled the cyberattack as a response to the February 28 attack on a school in the Iranian city of Minab, which killed up to 170 children and adults.”We announce to the world that in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,” it said. “In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted.”
Critical flaw: If Intune was the route to compromise, the first job for Stryker’s forensics team will be to work out how attackers got into the system.”Stryker uses Entra for authentication, which integrates everything into this with single sign-on, including the software that builds and updates all devices, including servers, laptops, and phones,” commented Rob Demain, CEO of security managed security company, e2e-assure.”This is a best practice design pattern, but with a critical flaw: if it’s compromised, the attacker has access to wipe all devices, which seems to be what has happened here. Initial access is likely to be via credential theft, typically Adversary-in-the-Middle (AitM).”Compromising such a critical system suggests a significant security failure, said Jon Abbott, CEO and co-founder of security management company ThreatAware.”The attackers have either tricked the helpdesk into resetting admin credentials, as we saw with the Scattered Spider attacks, taken over an admin’s machine, or spear phished an admin directly,” said Abbott. “It seems unlikely the attackers could have pulled this off without someone making a critical basic mistake. Anyone granting access to an admin account needs to step up their verification checks. Many of our clients now require three-way video calls before resetting admin credentials, bringing together the admin, their manager, and the service desk operator.” Security companies predicted that pro-Iranian groups would target US companies with wiping attacks when the war started. This is a rise in threat level with a clear message: Iranian nation state actors are now aggressively targeting US companies and their supply chains, and will spare nobody. Every weakness and mistake will be leveraged.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4144523/medical-giant-stryker-crippled-after-iranian-hackers-remotely-wipe-computers.html
