Latest Threat Intelligence (October 2022)

Microsoft Defender for IoT has released the October 2022 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). 

 

Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Defender for IoT’s security research team, Section 52.   

 

This Threat Intelligence update contains CVEs released during September. CVEs provide a reference method for publicly known information security vulnerabilities and exposures. Updated CVEs published over the last month are available for reference on the MITRE site, in the National Vulnerability Database site (NVD) as well as IoT/OT specific ICS-CERT. 

 

Along with the release of this TI package, provided below further guidance for affected Schneider Electric and Siemens devices which are commonly used in industrial networks. 

 

Package Updates 

With this release, Microsoft Defender for IoT has expanded vulnerability detection capabilities for Siemens industrial equipment including: 

1. Siemens RUGGEDCOM RST2288P 
2. Siemens RUGGECOM RST2288 
3. Siemens SCALANCE XM-400  
4. Siemens SIMATIC IPC3000 Smart v3 

 

The October Threat Intelligence package contains high-severity CVEs, including CVE-2022-37300. This vulnerability could allow unauthorized users access through weak recovery mechanisms for forgotten passwords in Schneider Electric EcoStruxureTM Control Expert, EcoStruxureTM Process Expert, and Modicon M580 and M340 controller read and write modes when communicating over Modbus data protocols.  

 

CVE-2022-37300 Analysis 

Modbus is a standard communication protocol, which transmits signals from a wide range of devices and controls to controllers and often used to connect to a remote terminal unit (RTU) in supervisory control and data acquisition (SCADA) systems. An attacker abusing this vulnerability can easily recover the password of the controller granting them permissions to change settings, change software and ladder logic installed on the controller which affect device behavior, and delete files. This vulnerability can also allow an attacker to install custom firmware on the controller, conferring device control even if the password is later updated by network operators. 

 

Guidance  

Microsoft Defender for IoT researchers encourage you to review the implementation of the Siemens and Schneider Electric industrial devices included in the October Threat Intelligence package and to patch devices when relevant in order to reduce your attack surface. 

With the publication of this vulnerability Schneider Electric has issued updates to affected devices and recommended mitigations for customers who cannot update their devices. Given the nature of the vulnerability, Microsoft Defender for IoT strongly recommends immediately patching affected devices and following Schneider Electric’s published mitigations: 

• Use strong passwords and refrain from using default credentials. 
• Segment networks and configure firewalls to block unauthorized access to TCP port 502. 
• Configure devices, access lists and communications according to guidelines issued by Schneider Electric. 
• Use virtual private networks between devices. 
• Secure files and their transfer with encryption and secure communication protocols. 
• Only access files from trusted sources. 

Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. 

If you would like more information about these CVEs or have concerns about your security posture, please do not hesitate to reach out. 

 

Update your system with the latest TI package

The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. 

MD5 Hash - 4126b21d3a5f2e79a350207ee40e5dca

 

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.