Forum Widgets
Latest Discussions
(Updated 21-DEC) Security Advisory - Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
Microsoft is investigating the remote code execution vulnerability related to Apache Log4j (a logging tool used by many Java-based applications) disclosed on 9 Dec 2021. Mitre has designated this vulnerability as CVE-2021-44228 with a severity rating of 10.0. This was followed by vulnerabilities disclosed on Dec 14 th 2021 (CVE-2021-45046) potentially affecting non-standard configurations and Dec 16 th 2021 (CVE-2021-45105). For the latest status of Microsoft’s investigation, please see Microsoft’s Response to CVE-2021-4428 Apache Log4j 2. This advisory will continue to be updated as new information becomes available. (Last Updated 21-DEC-2021) The advisory was updated to reflect that version 10.5.5 has been released with the latest Apache Log4j 2.17.0 and validated to mitigate CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. We strongly recommend our customers implement the following mitigation steps based on an internal analysis of possible attack vectors. Mitigation Guidance for Microsoft Defender for IoT For Defender for IoT security appliances (OT network sensors and on-premises management console): Deploy the latest software release As of version 10.5.4, all components that were affected by CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 have been upgraded and secured. Customers are strongly encouraged to apply this update as soon as possible. Manual Workaround The workarounds described below will mitigate CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, and can be used until upgrading to version 10.5.4 or above. > OT Network Sensor Using SSH, login as an administrator with full privileges. Execute the following: echo "find /var/cyberx/components/ -name \"start.sh\" -exec grep -L Dlog4j2.formatMsgNoLookups=true {} \; | xargs -I '{}' sed -i '/java_args.append(\"-Dlog4j.configurationFile=.*)/a java_args.append(\"-Dlog4j2.formatMsgNoLookups=true\")' {} && sed -i 's/args = \[\x27java\x27, \x27-Dlog4j\.configurationFile=\/var\/cyberx\/properties\/log4j2-active-tool\.xml\x27, \x27-jar\x27,/args = \[\x27java\x27, \x27-Dlog4j\.configurationFile=\/var\/cyberx\/properties\/log4j2-active-tool\.xml\x27, \x27-Dlog4j2\.formatMsgNoLookups=true\x27, \x27-jar\x27,/' /usr/local/bin/cyberx-xsense-cip-query-controllers && monit restart all" | sudo at now + 1 minutes > On Premises Management Console Using SSH, login as an administrator with full privileges. Execute the following: echo "find /var/cyberx/components/ -name \"start.sh\" -exec grep -L Dlog4j2.formatMsgNoLookups=true {} \; | xargs -I '{}' sed -i '/java_args.append(\"-Dlog4j.configurationFile=.*)/a java_args.append(\"-Dlog4j2.formatMsgNoLookups=true\")' {} && monit restart all" | sudo at now + 1 minutes If you need further assistance Please open a support ticket to contact our support team. The Defender for IoT cloud service does not use log4j and is not vulnerable to any active attack vector caused by CVE-2021-44228 and CVE-2021-45046. Latest Threat Intelligence Update for Monitoring CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Microsoft has released a dedicated Threat Intelligence update package for detecting Log4j exploit attempts on the network (example below). The package is available for download from the Microsoft Defender for IoT portal (Click Updates, then Download file). MD5 Hash - 512081a7ce19e436c9ff7ed672024354 Update your system with the latest TI package: Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT. Working with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. Additionally, the package can be downloaded from the Microsoft Defender for IoT portal, under Updates: To update a package on a single sensor: Go to the Microsoft Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the sensor console. On the side menu, select System Settings. Select Threat Intelligence Data, and then select Update. Upload the new package. To update a package on multiple sensors simultaneously: Go to the Microsoft Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the management console. On the side menu, select System Settings. In the Sensor Engine Configuration section, select the sensors that should receive the updated packages. In the Select Threat Intelligence Data section, select the plus sign (+). Upload the package. For more information, please review Update threat intelligence data | Microsoft Docs For further information Follow the MSRC blog for more information, which is updated with information and protection details as they become available. For a more in-depth analysis of the vulnerability, exploitation, detections, and mitigations, consult the RiskIQ (acquired by Microsoft in August 2021) analysis. Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft Security Blog Log4j – Apache Log4j Security Vulnerabilities CVE - CVE-2021-44228 (mitre.org)Latest Threat Intelligence (15 December, 2020) - FireEye and SolarWinds Events
Microsoft has been monitoring a sophisticated attack involving compromised 3rd-party software, including an intrusion through malicious code in the SolarWinds Orion product. This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. For further details, please refer to the SolarWinds advisory and the FireEye advisory. Additionally, FireEye Red Team tools were recently stolen from the company. For further details, please refer to the FireEye blog post. To help Azure Defender for IoT detect these latest threats, we strongly recommend deployment of the attached threat intelligence (TI) package as soon as possible (dated 2020-12-15). To deploy the TI, please follow the following instructions. Please note that your sensor version must be 2.8.10 and up: Download the TI file from the Azure Defender for IoT: If you have a Stand-Alone sensor, in the System Settings screen locate the "Intelligence Data Update" tile. Upload the file. once the upload is finished successfully - that's it! If you have a Central Manager that controls several appliances, go to the "System Settings" screen: Upload the file in the "Intelligence Data" tile. Once the upload is completed, mark the appliances that you want to update and click "save changes" If you need support deploying the TI package, please contact your customer success manager, or visit the Microsoft support site: Visit the Defender for IoT by Microsoft "help and support" page (URL) https://support.serviceshub.microsoft.com/supportforbusiness/create?sapId=82c88f35-1b8e-f274-ec11-c6efdd6dd099 To log in to Support.microsoft.com customers will be prompted to enter any valid Microsoft Account (MSA) or Office 365 account. (An MSA is an Outlook/Hotmail account, or any email linked to a Microsoft account. Customers can create or configure an MSA from https://account.microsoft.com/account) During the first login, customers will be prompted to verify details to be registered in the Microsoft Services hub portal Select the category, problem, enter additional information and submit your ticket. Upload any attachments (optional) Microsoft has also published updates to Microsoft Defender to help block related attacks, and to Azure Sentinel that provide additional signals for post-compromise techniques observed in these intrusions. For more details, please see the Microsoft blog post titled “Customer Guidance on Recent Nation-State Cyber Attacks.” It is our goal to continue to provide world-class support to our customers as part of the broader security ecosystem. This situation is evolving, so we will provide updates as they become available. For further information: Customer Guidance on Recent Nation-State Cyber Attacks Important steps for customers to protect themselves from recent nation-state cyberattacks SolarWinds Post-Compromise Hunting with Azure Sentinel - Microsoft Tech Community
Azure Security Center for IoT Webinar
Interested in learning about Azure Security Center for IoT? Check out our upcoming webinar. Details and registration at https://aka.ms/ASCIoTWebinar. Azure Security Center for IoT is a new solution that allows organizations to easily protect their IoT deployments with threat protection driven by Microsoft’s unique threat intelligence. You can find more information about it at https://docs.microsoft.com/en-us/azure/asc-for-iot/overview. The webinar will take place on Monday, August 5, 2019 at 08:00 PT / 11:00 ET / 15:00 GMT. Afterward, the recording will be posted to https://aka.ms/ASCIoTRecordings. We hope you’ll join us!Webinar: Sentinel IT/OT Threat Monitoring
Join us on Thursday 28.7 for a webinar on Sentinel IT/OT Threat Monitoring with Defender for IoT solution. Learn how Defender for IoT's built-in integration with Sentinel helps bridge the gap between IT and OT security. Registration is now open , for July 28 There has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Microsoft Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Microsoft Sentinel (IT) alerting. This solution includes Workbooks and Analytics rules providing a guide OT detection and Analysis.
Pcap player file upload
Hello All, I would like to upload multiple files to the Pcap player (System Settings->Pcap Player, see picture below) and let it run. However the browser dialog does not allow me to multi select. As a result, if I have more than one pcap samples, I am supposed to upload them on by one. Is there a way to upload multiple files at once? Thank you in advance for your time! Kind regards, Vanina
Microsoft Defender for IoT - New Release (OT v22.3.4)
Microsoft Defender for IoT is excited to announce a new major release of OT sensor version (22.3.4). To learn more, visit Defender for IoT Release Notes | Microsoft Docs Download links available at Defender for IoT Management Portal - Microsoft Azure. What's New? Service area Updates OT networks Version 22.3.4: Azure connectivity status shown on OT sensors MD5 Hash - f781734c1b8e2baf94f7a1fd6508df79 About Defender for IoT Microsoft Defender for IoT provides agentless, network-layer security, provides security for diverse industrial equipment, and interoperates with Microsoft Sentinel and other SOC tools. Continuous asset discovery, vulnerability management, and threat detection for Internet of Things (IoT) devices, operational technology (OT) and Industrial Control Systems (ICS) can be deployed on-premises or in Azure-connected environments.Latest Threat Intelligence (May, 2021)
Microsoft has released the May 2021 Threat Intelligence update package. The package is available for download from the Azure Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. The package includes the latest CVEs (Common Vulnerabilities and Exposures) and IOCs (Indicators of Compromise) applicable for IoT/ICS/OT networks (published during the month of April). CVEs provide a reference method for publicly known information security vulnerabilities and exposures, and are available for reference on the MITRE site, in the National Vulnerability Database site (NVD) as well as IoT/OT specific ICS-CERT. Update your system with the latest TI package: Startin with sensor version 10.3 - New threat intelligence packages can now be automatically pushed to cloud-connected sensors as they are released by Microsoft Defender for IoT, click here for more information. Working with automatic updates helps reduce operational efforts and ensure greater security. Enable automatic updating by onboarding your cloud-connected sensor on the Defender for IoT portal with the Automatic Threat Intelligence Updates toggle turned on. The package can also be downloaded from the Azure Defender for IoT Portal, Updates page: To update a package on a single sensor: Go to the Azure Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the sensor console. On the side menu, select System Settings. Select Threat Intelligence Data, and then select Update. Upload the new package. To update a package on multiple sensors simultaneously: Go to the Azure Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the management console. On the side menu, select System Settings. In the Sensor Engine Configuration section, select the sensors that should receive the updated packages. In the Select Threat Intelligence Data section, select the plus sign (+). Upload the package. For more information, please review Update threat intelligence data | Microsoft Docs
