Company says it doesn't know how long it will take to restore its Microsoft environment.
See full article...
See full article...
What’s known about wiper attack on Stryker, a major supplier of lifesaving devices
- Thread starter JournalBot
- Start date
Well.. given The Great Satans (Trumpistan and Israel) started the war and have targeted hospitals and killed people inside these hospitals then you get what you pay for.
Eye for an Eye and all that.
So all I have is crocodile tears for your kind...totally self absorbed and oblivious to the suffering The Great Satans have wrought on millions of innocent people over the decades.
Bluck
Upvote
0
(21
/
-21)
Burning farms and looting storehouses is something the invaders do, not the defenders.
Upvote
3
(7
/
-4)
No, they just bomb schools, hospitals and medical facilities, and sink warships "for fun".
Upvote
29
(34
/
-5)
Eskimonster
Ars Praetorian
I think this war wil inspire much worse things then this (like exploding pagers and napalm drones)
Upvote
2
(3
/
-1)
To paraphrase a quote M*A*S*H:
Hawkeye: War isn’t Hell. War is war, and Hell is Hell. And of the two, war is a lot worse.
..
Hawkeye: .. There are no innocent bystanders in Hell, but war is chock full of them – little kids, cripples, old ladies. In fact, except for a few of the brass, almost everybody involved is an innocent bystander.
A defensive war can be justified in stopping the harm of others, but an offensive war, a pre-emptive strike or assassination of political targets should be unforgivable, as it is sanctioned murder, and the political leader is the one who should be charged as a criminal.
Upvote
40
(40
/
0)
It's supported in Android now - I'm not sure about iOS. But on environments where it's not supported, the app is just wholesale replaced with the managed version that you install, alongside the managed configuration.
There's no automagic conversion process unless your whole device is managed. With the work profiles, there's a separate work app store where you can install managed versions. Also to just underscore this, the managed versions come with managed configuration, and replace the personal app (at least if you can't install two copies), so there is still no way for a work profile to see or control your personal data, and it can't happen invisibly because the app will now only have the work configuration.
I'm not saying this is all perfect and there's no reason for a separate work device, just pointing out that the walls between personal and work profiles are very strong in this configuration, and it's really hard for a user OR an administrator to do anything destructive to the personal side.
Upvote
0
(0
/
0)
While I don't disagree, there's a difference between MDM and MAM management, and both come from Intune. An MDM-managed device will be fully wiped, including all personal data. An MAM-managed device will only wipe the managed work content (work email, OneDrive, etc), and the personal data and apps are left untouched. Sounds like they might have been requiring MDM, which is dumb, and this is one of the big reasons why, and why we moved away from it. If someone leaves the company, we don't want to have to make them delete all the pictures of their kids or whatever.
Upvote
7
(7
/
0)
In modern MAM, if you wipe the work content, it only wipes the work content, not the app. So, for example, if you had your work email, gmail, and proton mail all signed in in Outlook or Mail app, and an MAM wipe was commanded, your work account disappears from those apps. That's it. Your gmail and proton would remain and continue to work as expected. Same with OneDrive. Your work OneDrive content goes away, personal OneDrive content (using a personal account sign-in) stays and remains functional.
Upvote
5
(5
/
0)
Mungus the Unhyphenated
Ars Tribunus Militum
I'll toss in my two cents' worth as a longtime MS systems admin... From what what's known/been described so far this looks like an Intune (MDM) wipe. Intune doesn't manage servers -- only endpoint devices like desktop/laptop Windows clients and mobile phones.
So at this point, what's down is likely the end-user devices. The servers and Active Directory/EntraID (formerly Azure AD) are likely still running -- it's just that no one can access them. It's like losing your house keys or the fob to your car. Everything may be fine inside, but you have no access with no functional endpoint devices to let you in. At least with server infrastructure, you should be able to achieve physical access somehow. Even an all-virtual server environment has a "physical" console available from the hypervisor. And even if your virtual infrastructure is hosted in an off-site datacenter, your management provider should be able to rig up a way to get to the console which is normally "theirs" alone -- even if it has to be over a Teams/Zoom/Whatever remote sharing session. There's always a way; it's just more cumbersome the further you go away from your own local physical server setup.
It's supremely annoying and inconvenient, but admins will be able to get back in by initially logging on locally to a server (Preferably a utility server that's not running critical services) and first begin the process of containing and controlling access to Intune and other Microsoft services. Global and Enterprise admins will be busy with a lot of password-changing and checking (and potentially further limiting/locking down) rights and delegations. Then the process will begin of verifying the Intune configuration and finally beginning to re-configure machines that desktop support staff and Intune can reach.
I'm going to assume that this being a medical products and services company, that they're rather conservative and are sticking to traditional AD-joined endpoint computers, which means that the computer needs to be joined (or re-joined) to AD before Intune can take over. (The other option is "Cloud-Joined" which connects to Intune first and then to AD, but that's often not desirable in an older AD environment that's been around since before "The Cloud," which Stryker very much would be.) Recovery will begin on-premises first. Remote workers and people like sales and support reps who are almost always traveling will be impacted for longer -- they may have to either bring in their devices to be re-configured or wait to have newly-imaged devices sent out to them. It's fundamentally a massive logistics problem that affects restoring access to the AD and network environment.
I agree that how someone got into the system is probably due to some form of phishing. Someone's credentials were compromised enough to get in, and further forays into the system may have allowed more to be harvested. Or they got lucky with a spear-phishing campaign against an administrator.
There will be much re-evaluation of which accounts are assigned particular rights and access, how pervasive any forms of MFA are, and what kinds of administrative credentials management are in place and how they're used.
Where I work, we've fundamentally separated everyday credentials for admins from the ones used to log on to servers and Active Directory/EntraID/Intune. And then the real admin-level accounts' passwords are heavily randomized and frequently rotated by a management system; we can't even log into servers without first authenticating (with MFA) onto a management platform which then issues a password to our "real" administrative accounts for the day. Hacking that system would require knowing the "normal" account password and spoofing the MFA, and having remote access into the system over our secured tunnel system in the first place, which is locked to company-owned devices only. No BYOD here at all. Are there potential holes and attack vectors? Sure there are. But it's always an escalation game of making more and more hoops for the attacker to jump through in order to limit their chances of getting in, even if they have managed to harvest credentials through simple phishing.
The post-mortem breakdown of this attack will be interesting. My guess would be that they had not yet implemented some aspect of enhanced security, due to budgeting, scheduling, or both -- but may have been aware that there were risks that they should be working on mitigating. If they weren't aware of the risks/hadn't done a risk assessment in the past year, then they were lax on due diligence. We'll have to wait and see what comes out.
So at this point, what's down is likely the end-user devices. The servers and Active Directory/EntraID (formerly Azure AD) are likely still running -- it's just that no one can access them. It's like losing your house keys or the fob to your car. Everything may be fine inside, but you have no access with no functional endpoint devices to let you in. At least with server infrastructure, you should be able to achieve physical access somehow. Even an all-virtual server environment has a "physical" console available from the hypervisor. And even if your virtual infrastructure is hosted in an off-site datacenter, your management provider should be able to rig up a way to get to the console which is normally "theirs" alone -- even if it has to be over a Teams/Zoom/Whatever remote sharing session. There's always a way; it's just more cumbersome the further you go away from your own local physical server setup.
It's supremely annoying and inconvenient, but admins will be able to get back in by initially logging on locally to a server (Preferably a utility server that's not running critical services) and first begin the process of containing and controlling access to Intune and other Microsoft services. Global and Enterprise admins will be busy with a lot of password-changing and checking (and potentially further limiting/locking down) rights and delegations. Then the process will begin of verifying the Intune configuration and finally beginning to re-configure machines that desktop support staff and Intune can reach.
I'm going to assume that this being a medical products and services company, that they're rather conservative and are sticking to traditional AD-joined endpoint computers, which means that the computer needs to be joined (or re-joined) to AD before Intune can take over. (The other option is "Cloud-Joined" which connects to Intune first and then to AD, but that's often not desirable in an older AD environment that's been around since before "The Cloud," which Stryker very much would be.) Recovery will begin on-premises first. Remote workers and people like sales and support reps who are almost always traveling will be impacted for longer -- they may have to either bring in their devices to be re-configured or wait to have newly-imaged devices sent out to them. It's fundamentally a massive logistics problem that affects restoring access to the AD and network environment.
I agree that how someone got into the system is probably due to some form of phishing. Someone's credentials were compromised enough to get in, and further forays into the system may have allowed more to be harvested. Or they got lucky with a spear-phishing campaign against an administrator.
There will be much re-evaluation of which accounts are assigned particular rights and access, how pervasive any forms of MFA are, and what kinds of administrative credentials management are in place and how they're used.
Where I work, we've fundamentally separated everyday credentials for admins from the ones used to log on to servers and Active Directory/EntraID/Intune. And then the real admin-level accounts' passwords are heavily randomized and frequently rotated by a management system; we can't even log into servers without first authenticating (with MFA) onto a management platform which then issues a password to our "real" administrative accounts for the day. Hacking that system would require knowing the "normal" account password and spoofing the MFA, and having remote access into the system over our secured tunnel system in the first place, which is locked to company-owned devices only. No BYOD here at all. Are there potential holes and attack vectors? Sure there are. But it's always an escalation game of making more and more hoops for the attacker to jump through in order to limit their chances of getting in, even if they have managed to harvest credentials through simple phishing.
The post-mortem breakdown of this attack will be interesting. My guess would be that they had not yet implemented some aspect of enhanced security, due to budgeting, scheduling, or both -- but may have been aware that there were risks that they should be working on mitigating. If they weren't aware of the risks/hadn't done a risk assessment in the past year, then they were lax on due diligence. We'll have to wait and see what comes out.
Upvote
10
(10
/
0)
Everyone has such things. On a list if not stupid. (Some companies are.) But getting them to the top means bumping something else. So things move slowly.
Upvote
2
(2
/
0)
Killing over a hundred girls in school still sounds much much worse.
Upvote
20
(21
/
-1)
Albino_Boo
Ars Praefectus
No security is absolute. Attacks from state sponsored groups are constant and continuous and, unlike criminals, they don't have to make money. Iran and their ilk can comfortably afford to buy someone with 1 million is freshly mined bitcoin or blackmail someone for their credentials. Even if their pishing attempts only have a 1 in 100,000 chance of success its worth it for the disruption they can cause.
Upvote
0
(0
/
0)
At this point if Iran retaliates it wouldn't be terrorism. It would be an act of war, because we are at war with Iran. Even if they get a proxy group to perform it, like Hezbollah and/or the Houthis. Calling it terrorism is a politically motivated label, not an accurate one.
I'm not being nitpicky just to "well, actually", it's to remind everyone how serious repercussions can be. It is a war with consequences. Iran may not be Russia or China, but they're above North Korea in strength and ability. Iran is in the top 20 in global military power, coming in at 16th place on the GMP. With estimations putting them between Israel at 15th and Australia at 17th in capabilities.
We know they're experts at making drones and cyber warfare. I doubt this will be the end of it.
Upvote
32
(32
/
0)
...okay?
Bombing a school and attacking a medical device company can both be bad. We don't have to just pick one.
Upvote
5
(13
/
-8)
Just for the reference of any Intune admins; something I was not previously aware of. Intune (and, oddly, only intune; feel free to unilaterally blow a hole in your entra MFA config or set a crazy default label policy in purview or something) does support requiring multi-admin approval for certain sensitive actions.
Not super convenient; but beats letting Timmy Helpdesk glass anything in the company just to allow him to wipe machines before sending them out for warranty support.
Hat tip to @daveyk00 and @iaintshootinmis over on mastadon.
Not super convenient; but beats letting Timmy Helpdesk glass anything in the company just to allow him to wipe machines before sending them out for warranty support.
Hat tip to @daveyk00 and @iaintshootinmis over on mastadon.
Upvote
6
(6
/
0)
I mean, you have to remember the international conversion rate; 200 Iranian children is, what, maybe equal to 1/5 of a western child?
Upvote
-5
(8
/
-13)
retreating armies on the defense have done this for ages.
Upvote
9
(10
/
-1)
Upvote
13
(13
/
0)
Intentional murdering 10,000+ protestors is even worse. https://www.theguardian.com/global-...ll-disappeared-bodies-mass-burials-30000-dead
There is no moral high ground in this shit show on either side.
Upvote
-5
(6
/
-11)
Does anyone know of a good science fiction book that transposes Crusades-era conflict between two religions each absolutely convinced God is on their side and committed to the destruction of the other to a modern or near-future scenario? Bonus points if it focuses on the ways neither side truly represents, or even cares about, its own people other than as fodder for the conflict and if one side isn't even run by a religious zealot but by a craven narcissist who is only aligned with them for political convenience. Asking for a friend.
Upvote
1
(2
/
-1)
Is your friend not depressed enough already by current events?
Upvote
7
(7
/
0)
Wars, like elections, have consequences. The issue is that the current occupant of the Oval Office does not understand consequences, having never faced them for
Upvote
16
(18
/
-2)
My friend thinks that if they are going to wallow in it anyway, they might be better off doing it with a book than a few bottles of bourbon.
Upvote
9
(9
/
0)
Spot on. The current administration does not understand the concept of consequences, nor do they care about the suffering they might cause others. The clerical leaders in Iran see the consequences as a necessity to accomplish righteousness and rid the world of the great Satan.
Upvote
-8
(0
/
-8)
America has repeatedly shown the world "no person is above the law" means nothing and that consequences exist for one class but not the other.
The American voter now elected a king in all but name, together with a royal household in form of Senate and House, and given them free reigns to make rules without being bound by them or having to fear any consequences. Rules which are only binding for the rule-taker class, the American population, which is bound by the rules but has no say in them.
America has finally reached true Conservatism. Just like voters wanted.
Upvote
6
(9
/
-3)
@dangoodin I didn't know what "state-nexus actor" meant, so I performed a search for it on duckduckgo. a site named "Europe Says" came up first with an article comprised of several of your paragraphs verbatim. Thought you'd want to know: https://www.europesays.com/news/4360/
Upvote
1
(1
/
0)
Mungus the Unhyphenated
Ars Tribunus Militum
In an era of escalating ransomware attacks and APTs, there seems to be a surprisingly generous share of larger enterprises which have yet to really harden their environments. I know it's costly in terms of both time and purchase/licensing/support costs plus time and cost just to deploy. But based on some contacts we've had with various reps and support teams, despite cybersecurity companies steady marketing, there's a considerable swath of enterprises that are moving slowly to adopt more advanced protections -- slower than threats are advancing.
Just in our market segment (because these things seem to be measured that way), we're typically ahead of 90% of our segment at my workplace in terms of security protections and risk rating. There are a lot of other companies below us on that scale. That's a lot of potential attack surface. And we've only been really ramping up over the past two years compared to where we were just five or six years ago. And by "ramping up", I mean adding or upgrading only one or two major security systems per year. It's not rushed, that's for sure. It's just a matter of committing both time and monetary budgets and not letting the project priority slip.
Admittedly, we have some recent additional impetus to keep on the ongoing security improvements path, due to acquiring another enterprise with government contracts, so there are specific security benchmarks to meet in that environment and enterprise-wide. Still, no matter an enterprises' line of business, improved IT security isn't something to take lightly at all, and getting less so every year.
If a company hasn't done a risk assessment -- even without yet committing to closing particular gaps -- they're badly in the dark and at risk. I doubt a medical products and services enterprise would put themselves behind the 8-ball that badly. But it's going to be interesting to see what comes out of the post-incident analysis because there likely will be a cautionary tale to be told.
Upvote
5
(5
/
0)
This attack wiped every Stryker-controlled computer/phone that was online at the time of attack. It has already caused case cancellations at the hospital my wife works at. It seems to be a big deal (tm) to the bone docs who are now trying to figure out how to reschedule Stryker cases when Stryker can’t tell them when they’ll be up and running again.
Some things are available from third parties (at a markup), but the cases where MRIs are uploaded to control where the bone drill works inside your body? Those cases are at a standstill.
Upvote
7
(7
/
0)
If America is the great Satan then Iran is the great Iblis. This war was not started last week or last month or even in the last 100 years. this is an extension of the Shia vs Sunni vs Jew grudge that has been going on for 1400 years. It is unfortunate the US has stuck its nose in the middle of it all.
Last edited:
Upvote
-4
(0
/
-4)
I'd like to ask those who say that remote management / MDM is kind of safe and reliable when personal and work environments are separated; it works like the managed apps and data are in a kind of sandbox; personal data cannot be affected.
.
So, did / do you actually role out such tests on devices in your fleet?
Let's say on your own personal devices?
.
Or are these claims quotes from MS sales presentations?
.
(the last is intentionally phrased provocing)
.
So, did / do you actually role out such tests on devices in your fleet?
Let's say on your own personal devices?
.
Or are these claims quotes from MS sales presentations?
.
(the last is intentionally phrased provocing)
Upvote
0
(1
/
-1)
Yes. I do. I've also tested what happens during remote wipes.
This isn't some side feature that doesn't get used. It's literally the default configuration for most BYOD enterprises now.
Look, I'm all about "trust but verify" and am highly suspicious of Microsoft, but if you have evidence that this segmentation doesn't do what it says on the box - especially because the segmentation actually has nothing whatsoever to do with Microsoft, and was built by Google and Apple for their respective operating systems - then just show us. Otherwise it's just FUD.
Upvote
5
(5
/
0)
The Jew vs Muslim thing isn't really a religious thing (Islam recognizes Judaism and Christianity as being related predecessors, with itself as the enlightened successor). Of course, there's no question every group has religious bigots. But the Middle East is a war about land. Propagandists (on both sides) find religion a convenient tool to manipulate their target audience.
Upvote
10
(10
/
0)
Thanks for your answer!
I've read about BYOD, however until now there were no jobs where that would have been an option, including remote management.
I read about MDM and the likes here the first time. I've got interested. As none of the participants mentioned that they tested these features, I typed the question.
No FUD intended.
Have a nice day!
Upvote
0
(0
/
0)
Thanks, wish I could upvote you more.
Yeah, I was just using "terrorism" as a shortcut - so they've "brainwashed" me too (it's amazing it works even when you know about it, expect it, etc).
But, you're absolutely correct. And, if we are being accurate - it's probably accurate to say that the USA hitting Iran was the first act of terrorism. Though, of course, that won't be a popular opinion.
Randomnly bombing somewhere is not an act of war. For an act of war, internationally, you need to declare your intentions, amongst other things. And it's certainly not an act of war domestically, because Congress haven't been involved.
So, let's call spades spades. The USA engaged in an act of state-sponsored terrorism when it attacked Iran. (And Venezuela, and the Caribbean boats, and, and, and...)
Upvote
14
(14
/
0)
Recent update from Stryker: https://www.stryker.com/gb/en/about/news/a-message-to-our-customers-03-2026.html
Upvote
0
(0
/
0)
Yes, but look at the bright side: If you work hard and long enough, you may be one of the few in the country who can afford a basic level of healthcare.
Upvote
1
(1
/
0)
It certainly sounds like an Intune admin's credentials were compromised, and then the account was used to wipe endpoints. IIRC, Microsoft recently implemented a feature in Intune where certain actions were held in a queue until a second admin approved them. Wonder if that would have helped here...
Upvote
0
(0
/
0)