Latest Threat Intelligence (July 2023)

 

Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Defender for IoT’s security research team, Section 52.   

 

The Threat Intelligence package for this month provides indicators to identify devices affected by the Rockwell Automation ControlLogix Firmware vulnerabilities CVE-2023-3595 and CVE-2023-3596, as well as detections designed to warn users of attempts to exploit these vulnerabilities. This package also includes indications for Honeywell Experion PKS, LX, and PlantCruise devices affected by the CVEs in ICSA-23-194-06 vulnerabilities (CVE-2023-23585, CVE-2023-25078, CVE-2023-2023-25948, CVE-2023-2023-26597, CVE-2023-24480, CVE-2023-25770, CVE-2023-25178, CVE-2023-22435, CVE-2023-2023-24474).

 

Consequently, these devices may be vulnerable to remote code execution (RCE), denial of service (DoS), spoofing attacks, or they may even be disabled. Users must update their systems to the latest version to be safe from these vulnerabilities. Rockwell Automation and Honeywell have released patches to address these issues. It is recommended to install the patches as soon as possible.

 

These CVEs can only be exploited by the attacker who has direct access to the systems that are affected. In order to mitigate the risks, we recommend the following measures:

1. The affected devices should be updated with the latest firmware

2. Keep a close eye on any unauthorized access attempts to the systems and minimize exposure and access to them.

3. Ensure that network monitoring is monitoring systems with these devices to be able to detect and track any behavior deviations from baseline.

 

Guidance

Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices.

 

Update your system with the latest TI package

The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. 

 

MD5 Hash: 0442443fd124f59796c20dc65b486b3d

 

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.