Forum Discussion
arielsgv
Microsoft
Oct 13, 2022Latest Threat Intelligence (October 2022)
Microsoft Defender for IoT has released the October 2022 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).
Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Defender for IoT’s security research team, Section 52.
This Threat Intelligence update contains CVEs released during September. CVEs provide a reference method for publicly known information security vulnerabilities and exposures. Updated CVEs published over the last month are available for reference on the MITRE site, in the National Vulnerability Database site (NVD) as well as IoT/OT specific ICS-CERT.
Along with the release of this TI package, provided below further guidance for affected Schneider Electric and Siemens devices which are commonly used in industrial networks.
Package Updates
With this release, Microsoft Defender for IoT has expanded vulnerability detection capabilities for Siemens industrial equipment including:
- Siemens RUGGEDCOM RST2288P
- Siemens RUGGECOM RST2288
- Siemens SCALANCE XM-400
- Siemens SIMATIC IPC3000 Smart v3
The October Threat Intelligence package contains high-severity CVEs, including CVE-2022-37300. This vulnerability could allow unauthorized users access through weak recovery mechanisms for forgotten passwords in Schneider Electric EcoStruxureTM Control Expert, EcoStruxureTM Process Expert, and Modicon M580 and M340 controller read and write modes when communicating over Modbus data protocols.
CVE-2022-37300 Analysis
Modbus is a standard communication protocol, which transmits signals from a wide range of devices and controls to controllers and often used to connect to a remote terminal unit (RTU) in supervisory control and data acquisition (SCADA) systems. An attacker abusing this vulnerability can easily recover the password of the controller granting them permissions to change settings, change software and ladder logic installed on the controller which affect device behavior, and delete files. This vulnerability can also allow an attacker to install custom firmware on the controller, conferring device control even if the password is later updated by network operators.
Guidance
Microsoft Defender for IoT researchers encourage you to review the implementation of the Siemens and Schneider Electric industrial devices included in the October Threat Intelligence package and to patch devices when relevant in order to reduce your attack surface.
With the publication of this vulnerability Schneider Electric has issued updates to affected devices and recommended mitigations for customers who cannot update their devices. Given the nature of the vulnerability, Microsoft Defender for IoT strongly recommends immediately patching affected devices and following Schneider Electric’s published mitigations:
- Use strong passwords and refrain from using default credentials.
- Segment networks and configure firewalls to block unauthorized access to TCP port 502.
- Configure devices, access lists and communications according to guidelines issued by Schneider Electric.
- Use virtual private networks between devices.
- Secure files and their transfer with encryption and secure communication protocols.
- Only access files from trusted sources.
Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices.
If you would like more information about these CVEs or have concerns about your security posture, please do not hesitate to reach out.
Update your system with the latest TI package
The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs.
MD5 Hash - 4126b21d3a5f2e79a350207ee40e5dca
For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.
No RepliesBe the first to reply