Latest Threat Intelligence (May 2022)

Microsoft has released the May 2022 Threat Intelligence update package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). 


Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. 


MD5 Hash - 542b8cffe15b91d1c9bc5f9895f1fd2a


This package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month). The current release includes detection rules and IOCs implemented by Section 52 security researchers for:


  1. Pipedream/Incontroller modular attack framework and toolkit. The custom tools enable threat actors to conduct automated attacks, search for devices on networks, and disrupt operations and access. For more information, please read the following the recent alert on APT Cyber Tools Targeting ICS/SCADA Devices.
  2. BlackCat/ALPHV ransomware. BlackCat operators use previously compromised credentials to gain access to systems, deploy malicious scripts and disable security features. The ransomware has affected over 60 entities worldwide. For detailed IOCs and mitigation guidelines, please see the FBI Flash report for more information.
  3. Industroyer2 malware. The Industroyer variant is self-contained and highly customizable, allowing threat actors to adapt the malware to specific devices on OT networks.


Updated CVEs (CVEs provide a reference method for publicly known information security vulnerabilities and exposures) published over the last month and are available for reference on the MITRE site, in the National Vulnerability Database site (NVD) as well as IoT/OT specific ICS-CERT.


Update your system with the latest TI package:

Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT. Working with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on.


Additionally, the package can be downloaded from the Microsoft Defender for IoT portal, under Updates:



To update a package on a single sensor:

  1. Go to the Microsoft Defender for IoT Updates page.
  2. Download and save the Threat Intelligence package.
  3. Sign into the sensor console.
  4. On the side menu, select System Settings.
  5. Select Threat Intelligence Data, and then select Update.
  6. Upload the new package.

To update a package on multiple sensors simultaneously:

  1. Go to the Microsoft Defender for IoT Updates page.
  2. Download and save the Threat Intelligence package.
  3. Sign into the management console.
  4. On the side menu, select System Settings.
  5. In the Sensor Engine Configuration section, select the sensors that should receive the updated packages.
  6. In the Select Threat Intelligence Data section, select the plus sign (+).
  7. Upload the package.

For more information, please review Update threat intelligence data | Microsoft Docs

0 Replies