{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/data-wipe/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Intune"],"_cs_severities":["critical"],"_cs_tags":["cloud","microsoft-intune","data-wipe","impact"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the potential abuse of the \u0026quot;wipe ManagedDevice\u0026quot; action within Microsoft Intune. An attacker who has gained unauthorized access to an Intune tenant may attempt to perform a large-scale device wipe. This action factory resets devices connected to the targeted Microsoft Intune tenant, leading to significant data loss and disruption. The technique has been observed in real-world incidents, such as the Stryker data breach, highlighting the potential for devastating impact. Defenders should monitor for unusual spikes in device wipe activity to identify potential malicious behavior. This brief provides guidance for detection and response to mitigate the risk of a bulk device wipe attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a Microsoft Intune tenant, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal and navigates to the Microsoft Intune admin center.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u0026quot;Devices\u0026quot; section within the Intune portal.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the \u0026quot;wipe ManagedDevice\u0026quot; action on multiple devices simultaneously or in rapid succession.\u003c/li\u003e\n\u003cli\u003eIntune audit logs record the \u0026quot;wipe ManagedDevice\u0026quot; events, including the user identity, timestamps, and target devices.\u003c/li\u003e\n\u003cli\u003eThe devices targeted by the wipe command begin the factory reset process, erasing all data and settings.\u003c/li\u003e\n\u003cli\u003eUsers of the wiped devices experience data loss and are unable to access corporate resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective of disrupting business operations and potentially causing financial harm to the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful bulk device wipe can result in significant data loss, business disruption, and financial damage. The incident affecting Stryker serves as a prime example of the potential consequences, impacting numerous devices and requiring extensive recovery efforts. Organizations in all sectors are vulnerable, particularly those heavily reliant on mobile devices for business operations. A successful attack can lead to complete loss of data on wiped devices, impacting productivity and potentially exposing sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Microsoft Intune Bulk Device Wipe\u0026quot; to your SIEM and tune the threshold (currently 5 wipes per hour) according to your environment's baseline activity.\u003c/li\u003e\n\u003cli\u003eConfigure Azure Monitor Activity logging for Intune and ensure proper ingestion into your SIEM to enable the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the \u0026quot;wipe ManagedDevice\u0026quot; actions and the identity of the user initiating them.\u003c/li\u003e\n\u003cli\u003eReview and enforce multi-factor authentication (MFA) policies for all administrator accounts with access to the Microsoft Intune portal.\u003c/li\u003e\n\u003cli\u003eImplement role-based access control (RBAC) to limit the number of users with permissions to perform device wipe actions.\u003c/li\u003e\n\u003cli\u003eDevelop and regularly test incident response plans for data wiping events, including procedures for data recovery and business continuity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-intune-bulk-wipe/","summary":"A high volume of 'wipe ManagedDevice' events from the Intune admin portal within a short period (5+ per hour) indicates a potential large-scale data wiping attack against managed endpoints.","title":"Microsoft Intune Bulk Device Wipe Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-intune-bulk-wipe/"}],"language":"en","title":"CraftedSignal Threat Feed - Data-Wipe","version":"https://jsonfeed.org/version/1.1"}