[CDP-development] Fw: Endpoint Management System Hardening After Cyberattack Against US Organization TLP: CLEAR
Galusha, Kevin
KGalusha at clackamas.us
Fri Mar 20 10:23:21 PDT 2026
Cyber Disruptors,
Here is another shared notification regarding the Stryker incident. See below.
Thanks,
Kevin Galusha, CISSP
Cybersecurity Architect
Clackamas County Technology Services
(503)723-4960
KGalusha at clackamas.us<mailto:KGalusha at clackamas.us>
www.clackamas.us<http://www.clackamas.us/>
________________________________
From: Kainoa, Leslie <leslie.kainoa at cisa.dhs.gov>
Sent: Friday, March 20, 2026 10:15 AM
To: Galusha, Kevin <KGalusha at clackamas.us>
Subject: FW: Endpoint Management System Hardening After Cyberattack Against US Organization TLP: CLEAR
Warning: External email. Be cautious opening attachments and links.
________________________________
________________________________
Hi Kevin, One more for today. Thank you. Respectfully, Leslie Ann Kainoa, CISSP, GICSP, CDPSE Cybersecurity State Coordinator Cybersecurity and Infrastructure Security Agency Region 10 (OR) (503) 462-5626 From: Mark Breunig <mark.breunig at alaskacybergroup.org> Sent:
[https://image-processing-service.us-1.mimecastcybergraph.com/v2/banners?e=G_otcwZeApP4Zdfo0HeSAL5bCa-qr5Cza_sJdUNibuav1dBRitNXZVbI1CZ0qSjjN3cRoBQNrbQB-PuZHEprdC8NXWmSWzgexAkdvG59GKJvST2sHEDMY4Yvp7Cb-_Q6Bk5jYMJsQWz9iFxRSW43KO-Y3CMTLq7V5clWMvVXy6ech6ArQ-DJZLd_jgjVmLr32liA4uBm7sr4GQb3JDoomDDk8HuZlIw5UH8D5CniQwFOxJk1pbNAEnmOTvDsSY99bgStZ5nRUTXg7GPfKDbNt9KYssDpXEo9wrjkHDQ3CdKavslC1oGMPDUojPpwGw-7z-7s8nQGcaiCIs72mKSIxSCskC_NaC1_FGe40v0nd_RU1lEQnuWJ-TGMEHRHJX8IMht7h1BxD295_oLbjuavLZpZLBtsJwlziF6zd6kxL8YEwDQwlMmEyaM=]<https://login-us.mimecast.com/u/login/?gta=apps&link=cybergraph-report/eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.jbGu3xCam11I4jB03tWI46JL3txPJfae6RdMMr2iVOzervuXZpUcgGzvqtrk0rO37jhYsAEy5XdCZgJJ18XWOC9hmk9ogajtYZa8XnaPi9v0cBQ2SJPZ02TgAhGqk66WKlC_Q0idUwXQTfjKlLZKnhXSaHX3ZHTV578ZYVkNom5ARmV8qWiQSDGACi1XmtOmU2QmN_2M2kfLg8DE2KZxk6hPxlWQz6u19dhvMH5aOrC71GLdiM4xBp3OSEYEN-uGBdpfg4TKL505lz4U95hLDr1HrZ9TQ9lx-G8d2m-2jI7GbWY_sA-dDj8InpWj2l29rW8-ZQ-HG-MQNLxIhldo6Q.EvVPm3bSJS5cKCqb.aRbtkxqYgIwzbF-IExVtmMxog1xku5srlA-OLhCPZ7IqO10aoddkP52DMp9ZOCoDIX1ZG_-PFMyC9E1OrQlHwhhyGG2lu6pBXHF0NN-8jhOJIbI1QRkdU_HsellT6T9XKDvT-ARpb-r-yKhke3ZogNGE1jUHv7JtcnxsvTx-mhKnLLzZ4Ao4VQzNBWuH5G2MaKwMA41HI-kczO6IWxoT1MUDD2f9ivmmzkjywlx36CwF-rJFkPN6qQ6QBRDIDdhuseGiMMjwC4ali0pwUCm6BJpbQnI5eU8Iys0-HOrtUDuPD4vaXLEMxtYuADBoxk4djeDCzp5GmhyrdrnDtAacy6jofYzn3obVZDvnYy9A2lIMgbRm7a-wsbVnRja8nyNd4pOa00Ikd43_2En9bDB2AHJROj7Qq34ChHdbJ3eZBB3hOyspckN6Y1r-ULfo0iRSPW46_Sh6x4ofjWXRSsK86SzD0XqJUSpJNtpfvQcb7_JtavBWtYtuZkRLgqy5mzUFqaH3mVHy4TZfL1ER8gRBua5EQz9vxjkcuz9Zl3m0FQ.fC1kd2H5ab1wfGoELTiZow>
CGBANNERINDICATOR
Hi Kevin,
One more for today. Thank you.
Respectfully,
Leslie Ann Kainoa, CISSP, GICSP, CDPSE
Cybersecurity State Coordinator
Cybersecurity and Infrastructure Security Agency
Region 10 (OR)
(503) 462-5626
From: Mark Breunig <mark.breunig at alaskacybergroup.org>
Sent: Thursday, March 19, 2026 9:58 AM
Subject: Endpoint Management System Hardening After Cyberattack Against US Organization TLP: CLEAR
CAUTION: This email originated from outside of CISA/DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.
Hi Everyone,
I am passing on the following from CISA for your awareness:
The information in this Cybersecurity and Infrastructure Security Agency (CISA) Alert <https://urldefense.us/v3/__https:/urldefense.proofpoint.com/v2/url?u=https-3A__click.communications.cyber.nj.gov_-3Fqs-3DeyJkZWtJZCI6ImU4N2E1YTkzLTFmNWEtNDIzMS04ZDA4LTI5YzRhMzg3YjUxZSIsImRla1ZlcnNpb24iOjEsIml2IjoiazlHb2paT3NPcFBta1RNZWJPakJqZz09IiwiY2lwaGVyVGV4dCI6ImZseWxuNGh6Um9WR1BseFJrMnFkdzNsUGVPTmxBcXZtRjVveTNMeUJmZzMxdWF2L3d3T05BTzUzMGxNME9aZEx0cmtHVmZ4TFN6elNCODgyd2VYeGNNVm9rUm5mWWVDVDBhaU5rNnc2aythUk14NXM2TUdPIiwiYXV0aFRhZyI6IlBOSUh6emJCNWZGd3hXaVJHZDloNEE9PSJ9&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=CHF8RS5RD8ABJLdLVVal90iKCKVWbHlOkJbUV4ODBxrVwDW8JfLNzpoyCTM4eHAt&m=C2jD1VJrb6JDUrPumSBvw9-pROIN06bRHV6nAILDmX0HsAzD7pa72g4Jvksuk65I&s=jJzCpGpXlOZODskc76aj8xsZIqxVuAhCXg92ZQfcIOI&e=__;!!BClRuOV5cvtbuNI!CB_3sUlA34nxBYjj2WMeUYRTwtWQNZ2RaYk1ukVjz_BNM4f863JE6YP3A95JAyOsU7e4lKOTr2Bnsm-JhLpzJCoFqlVLh2dfipWIUDg$> is being provided as is for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
CISA is aware of malicious cyber activity targeting endpoint management systems of US organizations based on the March 11 cyberattack against US-based medical technology firm Stryker Corporation, which affected their Microsoft environment. To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert. CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions.
To defend against similar malicious activity that misuses legitimate endpoint management software, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune<https://urldefense.us/v3/__https:/urldefense.proofpoint.com/v2/url?u=https-3A__click.communications.cyber.nj.gov_-3Fqs-3DeyJkZWtJZCI6IjI2ZWRkYjhiLWVmYTgtNGI1Ni04Yzc1LWE0YTFjNjg0MjA3YiIsImRla1ZlcnNpb24iOjEsIml2IjoiMjl2VWdJc0FMZmVDYmJqcXFoS3pYUT09IiwiY2lwaGVyVGV4dCI6IitKSWlHYzIyUk16V0dFQkNYSlIwbkFPS3Q0VS9RUXlCbGNITVJiMUpyR0dBKzVVdG5iWEJEbVQrNk5MOG50dmx0bithOXljMG54V1hnKzdYSXNlaEZ6WENyY29lc3B6YjI5U0Fpd0F0OTRKdHVPcXFFck5kIiwiYXV0aFRhZyI6IkZaZUQ3dGNpeDZFWE5jS3R5aDZ5bkE9PSJ9&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=CHF8RS5RD8ABJLdLVVal90iKCKVWbHlOkJbUV4ODBxrVwDW8JfLNzpoyCTM4eHAt&m=C2jD1VJrb6JDUrPumSBvw9-pROIN06bRHV6nAILDmX0HsAzD7pa72g4Jvksuk65I&s=CRrDzVX1tR0-WtpVeZioIRFtKD7R7qtFgs9ECqhH8B0&e=__;!!BClRuOV5cvtbuNI!CB_3sUlA34nxBYjj2WMeUYRTwtWQNZ2RaYk1ukVjz_BNM4f863JE6YP3A95JAyOsU7e4lKOTr2Bnsm-JhLpzJCoFqlVLh2dfW8E_osA$>; the principles of these recommendations can be applied to Intune and more broadly to other endpoint management software:
* Use principles of least privilege when designing administrative roles.
* Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to.
* Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene.
* Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune.
* Configure access policies to require Multi Admin Approval in Microsoft Intune<https://urldefense.us/v3/__https:/urldefense.proofpoint.com/v2/url?u=https-3A__click.communications.cyber.nj.gov_-3Fqs-3DeyJkZWtJZCI6ImQyZmU0ZDJmLWIwMGItNGMyNS05NzhkLWJlYjcyMDc4MGU1ZSIsImRla1ZlcnNpb24iOjEsIml2IjoiV3NjYTR0QzJUdktONzhzeDZvU3VJdz09IiwiY2lwaGVyVGV4dCI6IjRGZVEyU2RrZ25aY01vM2RwS000ejFNU0p5dENyVkEvblN4TjhhcG56dWplcndFSWRndkNtV1JFZk9HN3IwTWh3Z2J4TzNnSUsydTJFOXhEQnBleUNFMnpoZWdSbFFOYXh4cmkwTFpPOG8zdnl6SHFoSzRqIiwiYXV0aFRhZyI6ImE3WVQzRU1HbDdJSVRiT0Y2QkdWQXc9PSJ9&d=DwMDaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=CHF8RS5RD8ABJLdLVVal90iKCKVWbHlOkJbUV4ODBxrVwDW8JfLNzpoyCTM4eHAt&m=C2jD1VJrb6JDUrPumSBvw9-pROIN06bRHV6nAILDmX0HsAzD7pa72g4Jvksuk65I&s=fUStEMp3_zNA4mZr0myZJgBAdwJc-iFC-oMDTe-Xy7s&e=__;!!BClRuOV5cvtbuNI!CB_3sUlA34nxBYjj2WMeUYRTwtWQNZ2RaYk1ukVjz_BNM4f863JE6YP3A95JAyOsU7e4lKOTr2Bnsm-JhLpzJCoFqlVLh2dfPMoV5gA$>.
* Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc.
Additionally, CISA recommends reviewing the resources contained in the alert to strengthen defenses against similar malicious cyber activity.
Reporting
Thank you so much to those of you that have been submitting reports. Sharing information protects everyone and increases awareness.
If anyone observes additional/new traffic, please notify me so that the information can be shared for the benefit of everyone. As mentioned, I will only share what you indicate as shareable.
Respectfully,
Mark Breunig
Alaska Cyber Group
Mobile: 907-795-8150
Email: mark.breunig at alaskacybergroup.org<mailto:mark.breunig at alaskacybergroup.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260320/7bc21739/attachment-0001.html>
More information about the CDP-development
mailing list