A (0:00)

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST the FBI seizes Handela's leak site after an Iranian linked cyber campaign hits Stryker, CISA and Microsoft warn lockdown, Intune admin controls, Apple urges iPhone users to update after active hacking campaigns and the North Korean IT worker infiltration keeps growing despite years of warnings. This is Cybersecurity Today. I'm your host, Jim Love. The FBI has seized the data leak site used by the hacktivist group Handela, taking down a key piece of infrastructure used to publish stolen data and pressure victims. A law enforcement notice has replaced the site, confirming the takedown. If that name sounds familiar, it should. HANDELA is the Iran linked group widely reported to be behind the recent cyber attack on the US Medical technology giant Stryker. In that attack, the group compromised a Windows domain administrator account and then created a new global administrator account to maintain control. And from there they used Microsoft Intune to issue a remote wipe command, Factory resetting roughly 80,000 devices that included any device managed by Intune, corporate systems and possibly employee owned devices enrolled in company management. What makes this group different is how it blends tactics. This isn't just ransomware. Handela combines destructive actions like mass device wiping with data theft and then uses leak sites to publish or threaten exposure. The leak site becomes an extortion tool and a messaging platform, and that's what makes this takedown significant. Although this is timely, chances are it's the results of months of painstaking, detailed work, often by a combination of agencies. Seizing a leak site like this requires tracking infrastructure, identifying, hosting and coordinating across jurisdictions to dismantle how the group operates. Recent geopolitical activities are affecting cyber operations, and they're now hitting private sector supply chains, including health care and potentially others. Cisa, the Cybersecurity and Infrastructure Security Agency, has issued a warning urging organizations to secure their Microsoft intune environments, highlighting just how critical identity and device management systems have become in these modern attacks. And following up on that in the wake of the Stryker breach, both CISA and Microsoft are now warning organizations to tighten control or over their intune environments. Microsoft published new guidance within days of the incident, which attackers claimed involved the theft of roughly 50 terabytes of data before using Intune's built in wipe capability to reset nearly 80,000 devices in the early hours of March 11th. And yes, you may have heard these recommendations before, but they do bear repeating. The core issue is privilege. CISA is urging organizations to adopt a strict least privilege model for administrative roles, including role based access control so that no administrator has more access than absolutely necessary. They're also calling for strong enforcement of multi factor authentication and tighter privileged access controls through Microsoft Entre id, including conditional access and risk based signals. And there's a structural shift being recommended. Sensitive actions like device wipes, application updates, or change to access controls should require approval from more than one administrator. That's a direct response to what happened here. A single compromised admin pathway enabled massive operational damage. Microsoft summed it up this way. When combined, these practices help you shift from relying on trusted administrators toward building a a more protected administration by design. The takeaway is simple. Identity and device management systems are now high value targets, and if they're compromised, they can be turned into the tools of the attack itself. Apple is warning iPhone users to update their devices after fixing security flaws that were actively exploited in targeted hacking campaigns. The vulnerabilities were addressed in a recent update, but many users may still not have installed them. The company describes these attacks as extremely sophisticated, typically aimed at specific individuals. These kinds of flaws are often used in spyware campaigns, where attackers can gain deep access to a device without the user knowing. Now, many managed corporate devices have likely already been updated, but there's still a lingering perception with users in particular that Apple devices are rarely, if ever targeted. Some security experts dispute this, arguing there are more attacks than most people realize. But this matters, especially for anyone with access to sensitive or competitive information. This came to mind during a conversation I had with a CIO who pointed out that a simple but real risk is people pulling out their iPhones to take pictures of confidential material. If that device is compromised, that information may not stay private for long. So even if you think you're not a target, keeping your Apple device updated is one of the simplest and most effective protections you have. And for those who are worried because they've read bad stuff in the press about liquid glass, Apple has improved it a lot. It's quite manageable. You might even like security Researchers at Flare have released new research on a problem that doesn't seem to go away North Korean operatives infiltrating Western companies by posing as remote IT workers. The model is straightforward, and that's part of the problem. Individuals use stolen or fabricated identities to apply for remote jobs, often passing interviews and onboarding. Once inside, they operate as legitimate employees, generating income for the North Korean regime and, in some cases, gaining access to sensitive systems or data. Investigations have shown that some of these workers operate in coordinated groups, sharing infrastructure and identities to scale the operation. What Flair's research makes clear is that this isn't slowing down. Despite repeated warnings from law enforcement and security agencies, the model continues to succeed because it exploits normal business processes. Remote hiring, global talent pools, and rapid onboarding often mean identity verification isn't as strong as companies think. And once hired, access is frequently granted broadly enough to let an attacker do real damage. The uncomfortable reality is that hiring itself has become part of the attack surface. This isn't just an insider threat, it's an imported one, although introduced through perfectly legitimate channels, we and others have covered this extensively, but the problem still grows. Full disclosure we don't get any funding from Flair, and not because we don't accept sponsors. We do, but we would identify them. But one of their senior researchers, Tammy Harper, is a friend and a frequent guest on our program and I have a lot of time for their excellent research. And so while we don't recommend vendors, we do recommend that you might want to share this review research with a friend. I promise to put the link in the show notes@technewsday.com just look under podcasts or on YouTube under the video. And while you're sharing something, why not tell your friends about cyber security Today? The reason you know about North Korea was you're probably listening to us. We're on Apple, Spotify, YouTube, wherever they get their podcasts. And that's our show. And before we get away, we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and even run support. It's a single integrated solution that scales from branch offices to warehouses and large campuses to data centers. Book a demo@meter.com CST I'm your host Jim Love. Thanks for listening. It.