- Key insight: Microsoft's newly recommended security practices for Intune align with existing FFIEC regulations for access and authentication.
- What's at stake: Iranian-linked hackers are targeting administrative access not for financial extortion, but to launch pure disruption attacks that wipe servers.
- Expert quote: "More than one privileged user at the financial institution must approve access to certain critical systems," according to FFIEC guidance.
Overview bullets generated by AI with editorial review
A crippling cyberattack earlier this month against U.S. medical technology firm Stryker provided an object lesson in how organizations manage endpoint devices, prompting urgent warnings for financial institutions.
On March 11, a threat actor breached Stryker, resulting in a global disruption to the company's Microsoft environment that adversely affected order processing, manufacturing and shipping operations.
In response, the Cybersecurity and Infrastructure Security Agency, or CISA, issued a March 18 alert urging organizations to harden their endpoint management systems, such as Microsoft Intune, "to defend against similar malicious activity that misuses legitimate endpoint management software," according to the agency's alert.
For U.S. banks, the incident highlights a severe operational threat, as Iranian-linked hacking groups increasingly target Intune administrative access to launch destructive "wiper" attacks.
Attackers have successfully gained access to corporate networks "and deleted servers and workstations, with the aim of disrupting the operations of the attacked organizations," according to a March 6 warning from Israel's National Cyber Directorate highlighted by Palo Alto Networks' Unit 42.
To prevent network-wide compromises and remain compliant with federal safety standards for access and authentication, bank security teams must rapidly adopt Microsoft's newly released best practices for securing Intune.
The Stryker attack and the rise of wiper threats
On March 11, Stryker identified a cybersecurity incident that caused a "global disruption" to its internal Microsoft environment, according to a Securities and Exchange Commission filing from the company.
Threat actors linked to the Iranian government are increasingly using administrative access in Microsoft Intune to deploy wiper attacks, according to a March 12 threat report from cybersecurity firm Palo Alto Networks' threat intelligence arm, Unit 42.
A group known as Handala Hack uses phishing to steal identity credentials, which the attackers then use to access Intune, according to the report. Handala Hack operates as a front for Iran's Ministry of Intelligence and Security, according to a Unit 42 report.
Rather than extorting companies for money, these attackers aim for "pure disruption," according to the report. Attackers have accessed corporate networks and "deleted servers and workstations," according to a March 6 warning from Israel's National Cyber Directorate.
Microsoft's new guidance and banking regulations
Microsoft's three recommended practices for securing Intune systems mirror the expectations for access and authentication set by the Federal Financial Institutions Examination Council.
The FFIEC advises financial institutions to identify "high-risk users," a category that includes security administrators and other privileged users, according to the council's guidance document. These users warrant enhanced authentication controls to protect information systems, according to the guidance.
Microsoft similarly categorizes the global administrator and Intune administrator roles as privileged positions that hold broad permissions within Intune.
Relying on single-factor authentication alongside layered security is inadequate for high-risk users, according to the FFIEC.
To mitigate the risk of unauthorized access, the council advises institutions to require privileged users to reauthenticate using multifactor authentication before making system configuration changes, updating software or executing significant system processes.
Furthermore, the FFIEC expects that "more than one privileged user at the financial institution must approve access to certain critical systems or certain requests for administrative changes," according to the guidance.
This regulatory standard aligns directly with Microsoft's recommendation that organizations enable a feature called multi admin approval, which requires a second authorized administrator to review and approve sensitive changes before they deploy.
Actionable steps for hardening Intune
To secure Intune, Microsoft advises organizations to implement "principles of least privilege when designing administrative roles," according to CISA's March 18 alert.
Security administrators should use Intune's role-based access control to assign the minimum necessary permissions for day-to-day operations.
Rather than granting "standing" or always-on permissions, organizations should implement a just-in-time access model where credentials default to zero permissions and require a formal activation process, according to the Unit 42 report.
Broad administrative roles, such as the global administrator, hold vast permissions and "should be limited and not used for daily administrative tasks," according to a March 14 blog post from Microsoft.
The second pillar requires institutions to enforce phishing-resistant multifactor authentication and access hygiene.
The Handala Hack group uses phishing to compromise identity credentials. Standard app-based or SMS-based authentication methods remain vulnerable to phishing, SIM swapping, and push-bombing attacks, according to an October 2022 CISA fact sheet.
CISA designates phishing-resistant authentication, such as FIDO or WebAuthn protocols, as the "gold standard" for access security. Security teams should combine these strong authentication methods with conditional access policies to block unauthorized users from accessing privileged actions, according to the CISA alert.
Finally, banks must require a second administrator to approve high-impact actions, such as a device wipe. A single compromised administrative account can initiate a mass wipe event across a network.
To mitigate this risk, Microsoft recommends enabling multi admin approval, which introduces a "practical governance control" that blocks sensitive changes until a second authorized administrator reviews and approves the deployment, according to the company's blog post.
The cyberattack on Stryker demonstrates that threat actors will exploit endpoint management platforms to execute wiper attacks and disrupt operations. To protect their networks, organizations should start with a "quick wins pass," according to Microsoft.
This means bank IT teams should immediately "inventory broad, standing Intune role assignments and replace them with least-privilege role-based access control roles," according to the Microsoft post.
Furthermore, because the attackers aim for "pure disruption" rather than financial extortion, institutions should maintain "immutable, air-gapped, offline backups of critical data" to guarantee recovery if a wipe command slips through, according to Unit 42.
