The Stryker case is not an isolated incident

In mid-March, a cyberattack on the Stryker Group’s computer systems led to widespread disruption of business operations—more than 200,000 systems, servers, and mobile devices are reported to have been wiped in a targeted attack on the company’s Microsoft infrastructure. Employees report that during the attack on Microsoft Intune, data was even deleted from personal smartphones that were connected to the corporate environment solely via Outlook. This was followed by a warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA): Targeted attacks on endpoint management systems of U.S. organizations are currently being observed. The agency’s subsequent recommendations suggest that privileged accounts were the target of the Stryker attack.

UEMs as both a gateway and a tool

While earlier hacker attacks tended to target managed endpoints, this attack points to a new dimension: a hack of the admin structure. Attackers focus on the so-called “control plane”—that is, the central management layer of cloud-based UEMs. End devices such as laptops or smartphones can be configured, secured, and even remotely wiped through this system. It is precisely this power—the central building block of modern enterprise security architecture—that becomes a problem when attackers gain control of it. Anyone who attacks such a system not only gains access to corporate data but, in the worst-case scenario, can manipulate or wipe thousands of devices simultaneously.

And here’s the crux of the matter: Legitimate administrative functions can be exploited for sabotage, because anyone who has the key to the cockpit and acts from there is, from the perspective of the security concept, effectively acting as an administrator—that is, with the necessary authorization and permissions. For attackers, this is a powerful lever.

6 Tipps für Cyberattacken

IT teams need to rethink their approach and refine their strategies

It highlights how important it is to strengthen security structures in the administrative environment and distribute the responsibility across multiple people. These measures could actually be implemented without much difficulty in most companies. But time and expertise are often lacking. And that is where the greatest danger lies within the company itself. It is not the lack of technology; it is the lack of time to secure it properly.

The specific measures for protection

Let’s look at the recommendations issued by CISA in collaboration with the FBI and expand on them with concrete solutions:

  1. Consistent implementation of least-privilege principles:

    Grant admin privileges according to the principle of least privilege—limited to the rights they truly need and often only for a limited time.
    –> Microsoft Entra Privileged Identity Management, Microsoft Entra ID, Ivanti Endpoint Manager, and Microsoft Intune Endpoint Privilege Management are examples of targeted privilege assignment. Conditional Access also plays an important role here. Read more about Identity & Access Management here.

  2. Role-Based Access Controls (RBAC):

    Subdivision of permissions (read, write, delete) and linking them to roles rather than users (e.g., “Admin,” “User,” etc.).
    –> Roles and groups can be set up in Microsoft Entra ID or other identity management systems; we’d be happy to advise you on effective concepts and implementation solutions.

  3. Use of phishing-resistant multi-factor authentication:

    Phishing-resistant multi-factor authentication (MFA) protects against attacks by using cryptographic methods (e.g., FIDO2/WebAuthn) that firmly bind the login process to the genuine website. These methods do not work on fake sites because they do not send interceptable codes. Traditional MFA is often insufficient for admin accounts, and passwordless, phishing-resistant login must become mandatory.
    –> AuthN by IDEE enables this type of secure multi-factor authentication (MFA) without requiring a password, token, or second device – learn more here.

  4. Introduction of multi-eyes approvals for critical actions:

    Establishment of approval processes for admin actions by multiple admins.
    –> Typically, a combination of solutions is used here—for example, roles are defined in an IGA solution such as Microsoft Entra ID and temporarily activated via a PAM solution. Additionally, approval must be obtained and the process documented. We’d be happy to share insights from our customer projects on how to approach this effectively.

  5. Greater focus on Zero Trust architectures:

    A modern security concept based on the principle “Never trust, always verify.”
    –> Read more about Zero Trust, the security standard for modern enterprises, here.

  6. Greater transparency and control:

    UEMs provide overview and transparency. This creates security and control. In the case of Stryker, this appears to have been a core issue with Microsoft Intune: Privileged accounts and critical actions were not sufficiently monitored, and attackers were able to wipe devices en masse without early intervention.
    –> The solution Eido addresses this very issue in Intune: it provides greater transparency regarding compliance status, admin roles, and risky configurations; detects dangerous settings before they become a problem; and alerts you to critical actions.

Conclusion

In larger companies today, UEMs are indispensable for both management and security reasons. They make life much easier for administrators and help them maintain an overview—but they can also become a risk, as seen in the Stryker case. But: A single compromised account should never be enough to wipe tens of thousands of devices. And that is why the UEM itself must also be monitored and adequately secured. The danger is not a lack of technology, but rather a lack of time, resources, and expertise. But for all of this, there are consulting firms and managed services providers that fill precisely these gaps in time and knowledge and are happy to defend the front line alongside you.