Good Morning Security Gang
Today’s episode is packed with developments that reinforce a major shift in cyber operations. Attackers are increasingly bypassing traditional malware entirely. Instead, they’re abusing legitimate administrative tools, compromised credentials, and trusted infrastructure to conduct destructive attacks, espionage campaigns, and corporate breaches.
We’re diving into the devastating Stryker cyberattack that wiped over 200,000 devices using Microsoft Intune, Iranian hackers exploiting exposed RDP services, Chinese espionage targeting Asian militaries, phishing attacks hitting healthcare technology firms and security executives, supply chain abuse through analytics software, credential theft targeting VPN users, and active exploitation of FTP servers.
Grab your coffee, mine’s a double espresso, coffee cup cheers, Security Gang. Let’s get into it.
Stryker Cyberattack Wipes 200,000 Devices Without Malware
The lead story today centers on the devastating cyberattack against medical technology giant Stryker, where attackers wiped tens of thousands of devices without deploying traditional malware.
Initial reporting suggested this was a classic wiper malware incident. However, new information reveals the attackers instead abused legitimate administrative tools and system privileges, leveraging Microsoft Intune administrative access to trigger device wipe commands across the organization.
This attack represents a growing trend known as “living off the land” techniques, where attackers exploit built-in administrative capabilities such as PowerShell, Active Directory management functions, or endpoint management platforms to carry out destructive operations. Because these tools are legitimate, the activity often appears indistinguishable from normal system administration.
"Here's the bottom line: they were able to get admin logins to Microsoft Intune. They then systematically wiped over 200,000 devices. My director of IT told me, 'Man, this process is going to be a pain.' It is, but it's a necessary pain. Because if someone wipes 200,000 of your devices, that kind of recovery is crippling." James Azar
According to reports, attackers gained administrative access to Stryker’s Intune environment and systematically wiped more than 200,000 managed devices, creating massive operational disruption across the healthcare technology supply chain.
Healthcare infrastructure is particularly vulnerable to these types of attacks because device availability directly impacts medical operations. The scale and speed of this incident demonstrate how identity compromise combined with administrative tools can cripple an enterprise overnight.
Security leaders should implement multi-approval workflows for destructive administrative actions, monitor privileged access activity, and deploy behavioral monitoring to detect abnormal administrative operations.
Iranian Hackers Exploit Remote Desktop to Access Networks
Following the Stryker attack, researchers also observed the pro-Iranian hacking group Handala exploiting exposed Remote Desktop Protocol (RDP) services to gain initial access to corporate networks.
RDP continues to be one of the most abused entry points in cyber operations because many organizations still expose remote access services directly to the internet for convenience.
Once attackers gain RDP access, they can move laterally across the network, escalate privileges, and execute destructive or espionage operations. This pattern has appeared repeatedly across ransomware campaigns and state-aligned cyber attacks.
The group has reportedly conducted operations targeting organizations in Israel, Albania, and the United States, and researchers believe the attackers are linked to the Iranian Ministry of Justice.
Organizations should restrict RDP access behind VPN gateways or Zero Trust remote access platforms to prevent direct internet exposure of administrative services.
China Conducts Long-Term Espionage Against Asian Militaries
While Iran’s operations appear disruptive and destructive, China’s cyber strategy continues to focus on long-term intelligence gathering.
Researchers uncovered a sustained espionage campaign conducted by Chinese state-linked hackers targeting military organizations across Asia. Unlike destructive cyberattacks, these campaigns prioritize stealth and persistence, quietly infiltrating defense networks to gather intelligence over extended periods.
The operation, tracked as CL-STA-1087, reflects China’s broader cyber doctrine of strategic intelligence collection to support geopolitical planning and military development.
These campaigns can remain undetected for months or even years, allowing attackers to harvest sensitive communications, operational data, and strategic planning documents.
Defense organizations and contractors must prioritize continuous threat hunting, behavioral monitoring, and supply chain security to detect long-term infiltration attempts.
“The line between cybercrime, espionage, and cyber warfare is disappearing faster than most organizations are ready for.” James Azar
Phishing Attack Hits Intuitive Surgical
Medical technology company Intuitive Surgical, known for its robotic surgical platforms, disclosed a cyberattack tied to phishing.
Phishing remains one of the most effective attack vectors despite decades of training and awareness campaigns. With the rise of AI-generated phishing emails, attackers can now craft extremely convincing messages capable of fooling even experienced users.
In this case, attackers likely compromised employee credentials through phishing, allowing access to internal corporate systems.
Healthcare technology companies are particularly attractive targets because they store intellectual property, operational data, and sensitive healthcare information.
Organizations should move toward phishing-resistant authentication mechanisms, including FIDO-based authentication technologies that reduce reliance on passwords and SMS verification methods.
ShinyHunters Linked to Talus Digital Breach
The financially motivated cybercrime group ShinyHunters has been linked to another breach, this time involving Talus Digital.
ShinyHunters has built a reputation for high-profile data theft operations, often targeting cloud platforms and enterprise environments to steal large datasets. These datasets are typically used for extortion or sold on underground cybercrime forums.
The Talus breach highlights the ongoing strength of financially motivated cybercrime groups operating alongside nation-state actors.
Organizations should deploy data loss prevention monitoring and identity visibility across cloud platforms to detect large-scale data exfiltration attempts.
UK Business Registry Exposes Company Data
A vulnerability discovered in the United Kingdom’s Companies House registry exposed business registration data associated with millions of companies.
Corporate registry platforms contain extensive information about organizations, including executive identities, corporate filings, and financial disclosures. When exposed, this data can be weaponized for fraud, identity theft, and targeted phishing campaigns.
The breach highlights how government databases can become valuable intelligence sources for cybercriminals.
Mitigation requires strict validation controls for bulk data access and monitoring of unusual data extraction activity.
Security Executive Targeted in Sophisticated Phishing Campaign
In an unusual twist, attackers targeted a senior executive at a Swedish cybersecurity company using a sophisticated phishing campaign impersonating JPMorgan.
The phishing email included domain authentication signatures that allowed it to pass DMARC checks and used a legitimate Cisco infrastructure redirect link to bypass email security filters.
By abusing trusted infrastructure, attackers increased the credibility of the message and improved its chances of bypassing corporate email defenses.
Executive accounts remain highly attractive targets because they often have elevated privileges and strategic visibility into corporate operations.
Organizations should enforce separate administrative accounts and enhanced monitoring for executive identities to reduce the risk of privileged account compromise.
Supply Chain Attack Abuses AppsFlyer SDK
Researchers also uncovered a supply chain attack involving the AppsFlyer Web SDK, where attackers injected cryptocurrency-stealing JavaScript into analytics tools used by websites.
By embedding malicious code inside legitimate third-party scripts, attackers were able to steal sensitive information from visitors to compromised websites.
This incident demonstrates how third-party dependencies can introduce hidden security risks within web applications.
Organizations should deploy Content Security Policies (CSP) restricting unauthorized script execution to mitigate third-party script abuse.
VPN Credential Theft Campaign Targets Remote Workers
A new campaign targeting VPN users is attempting to steal login credentials through phishing pages that mimic legitimate VPN login portals.
Because VPN credentials often grant direct access to corporate networks, attackers frequently target remote access platforms to bypass perimeter defenses.
"A lot of people ask if I like hardware security keys. My answer is no, because they're not really feasible in terms of scaling. They're just not convenient for the user. If the user loses it and they're locked out, your whole rule goes out the door. No one's going to lose business because someone forgot their YubiKey somewhere. We've got to find better authentication mechanisms." James Azar
Organizations should deploy device-based authentication controls and contextual access policies to prevent unauthorized VPN access.
CISA Warns of Active Wing FTP Server Exploitation
CISA issued an alert warning that vulnerabilities in Wing FTP Server are actively being exploited.
FTP servers frequently host sensitive corporate files and internal data transfers, making them valuable targets for attackers seeking initial network footholds.
Organizations should restrict FTP services to internal networks whenever possible and apply security updates immediately to prevent exploitation.
EU Court Overturns Amazon’s $858M GDPR Fine
In a significant legal development, a Luxembourg court overturned the $858 million GDPR fine previously imposed on Amazon.
The ruling could reshape how GDPR enforcement actions are interpreted across Europe and may influence future regulatory enforcement related to privacy compliance.
Companies operating in Europe are watching this decision closely, as it could affect how regulators approach enforcement of data protection regulations.
Key Action Items for Security Teams
Implement multi-approval workflows for destructive administrative actions
Monitor privileged administrative activity in identity management platforms
Restrict RDP access behind VPN or Zero Trust gateways
Deploy continuous threat hunting for espionage activity
Implement phishing-resistant authentication mechanisms
Monitor data exfiltration across cloud environments
Enforce strict validation controls for government and registry databases
Deploy content security policies to prevent third-party script abuse
Implement device-based authentication for VPN access
Restrict and patch FTP servers immediately
James Azar’s CISO Take
When I look across today’s stories, the biggest takeaway is that cyber attacks are evolving beyond traditional malware. The Stryker attack is a perfect example. Instead of writing sophisticated malware, attackers simply used the tools already built into the environment. Identity compromise combined with administrative privileges can now be more destructive than any piece of malicious code.
At the same time, we’re watching the global cyber battlefield expand. Iran is executing disruptive operations, China is conducting long-term espionage, and financially motivated cybercriminals continue targeting enterprises for data theft. For defenders, the fundamentals remain the same: protect identity systems, monitor administrative activity, hunt for abnormal behavior, and never assume that legitimate tools cannot be weaponized.
Stay vigilant, Security Gang and most importantly, stay cyber safe.
