What I Would Do If I Was Stryker

Day Seven. Still Restoring.

200,000 devices wiped. 50TB exfiltrated. 79 countries. A nation-state used Stryker's own Microsoft Intune MDM to do it.

I'm not here to pile on. Everyone gets breached. The question is what you do before, during, and after.

Here's what I'd do.

1. MDM Is a Weapon. Treat It Like One.

The Handala group didn't bring their own tools. They walked in through the front door and used Intune to wipe 200,000 devices simultaneously.

That's not a vulnerability in Intune. That's a privilege design problem.

The fix: No single account or service principal should have global device wipe authority across 79 countries without a second approval. MDM bulk actions — wipe, retire, reset — need PAM controls. CyberArk or BeyondTrust in the approval chain. A wipe of more than 100 devices triggers a human review before execution.

This is not exotic. This is the same logic as requiring dual authorization for a wire transfer over $10,000.

2. Take the Dev Surface Offline. All 99 of It.

Shodan shows 99 dev, QA, and staging environments under robotics-rd.stryker.com resolving publicly. Surgical robotics R&D. Joint replacement systems. Identity portals.

None of that should be on the internet.

The fix: VPN-only access for all non-production environments. No exceptions for developer convenience. If your CI/CD pipeline needs external access, give it a service account through a bastion — not a public DNS record that any scanner can enumerate in thirty seconds.

The attack surface you don't know about is the attack surface that kills you.

3. Patch the VDI. You Have Six Days.

eastus1-avs-test.vdi.stryker.com is an Omnissa Horizon virtual desktop gateway — internet-facing, test environment. CVE-2021-22054 in Omnissa Workspace One UEM is on the CISA Known Exploited Vulnerabilities list. Mandatory patch deadline: March 23.

Six days.

Post-breach, with Iran actively targeting your infrastructure, a public-facing VDI with an unpatched KEV is not a theoretical risk. It's a scheduled appointment.

The fix: Patch it today. If you can't patch it today, take it offline until you can.

4. Isolate Vocera. It's Clinical.

uksecurelink.vocera.com resolves to the same IP as uksecurelink.stryker.com. Vocera is the clinical communications platform — nurses, surgeons, ORs. It shares infrastructure with corporate IT.

When the corporate environment burned, Vocera was in the blast radius.

The fix: Clinical communications gets its own network segment, its own cloud accounts, its own identity infrastructure. Full stop. The risk model for a nurse calling a surgeon is not the same as the risk model for a marketing portal.

5. QA Environments Do Not Have Login Pages on the Internet.

endopmo-qa.stryker.com — Endoscopy PMO, QA environment — is publicly accessible. No VPN. Apache on AWS. Login page visible to anyone with a browser.

QA environments have real data. Anonymization is inconsistently applied at most organizations. If your QA environment has a subset of production records — and it almost certainly does — it has patient data.

The fix: Move it behind VPN. Today.

6. The Wiper Was Named CrowdStrike.bin

Handala named their wiper CrowdStrike.bin.

They knew the filename would be trusted by endpoint controls trained to allow CrowdStrike processes. They knew your environment well enough to pick the right camouflage.

That's reconnaissance. That's patient, deliberate pre-positioning. That didn't happen in a day.

The fix: Threat intelligence that detects adversary infrastructure before they're inside the perimeter. The IOCs for Handala/Void Manticore were available. MOIS infrastructure has been documented. If your SIEM had been pulling those feeds, the C2 callback would have fired an alert before the wiper ran.

We had those IOCs. They're in our STIX feed. They were there before March 11.

The Uncomfortable Part

None of this is exotic. MDM dual-authorization, staging environments off the internet, patching KEVs before the deadline, network segmentation for clinical systems.

These are checkboxes. The checklist exists. The problem is the gap between knowing and doing — between the architecture document and the production environment.

Iran didn't find a zero-day in Stryker's code. They found the gap.

If You're Running Intune, Defender, and CrowdStrike

And you want to know if the threat actors targeting Stryker are targeting you — our STIX feed has the Handala C2 infrastructure, the MOIS IP ranges, and the IOCs from the wiper analysis.

If you're pulling our feed and any of those indicators hit your telemetry, you'll know before it's day seven.

analytics.dugganusa.com/stix/pricing

Code NOTAFAKE for 20% off.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →