Latest Threat Intelligence (November 2022)


Microsoft Defender for IoT has released the November 2022 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). 


Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Defender for IoT’s security research team, Section 52.   


November Updates

With this release, Microsoft Defender for IoT has expanded vulnerability detection capabilities for known OT vulnerabilities across supervisory control and data acquisition (SCADA) devices issued since 2008 and included new detections for Text4Shell (CVE-2022-42889) and the recently released path traversal vulnerability in the implementation of the Totalflow TCP protocol in ABB (CVE-2022-0902).

Detections for the Text4Shell vulnerability (CVE-2022-42889) in the “Apache Commons Text” Java library were added with this month’s threat intelligence update. This vulnerability allows an attacker to send malicious inputs that can execute arbitrary code, call a remote URL or send an unauthorized DNS request. Customers using Apache Commons Text versions between 1.5 and 1.9 are recommended to update to version 1.10.


The November Threat Intelligence package contains high-severity CVEs, including CVE-2022-38465.  An attacker exploiting this vulnerability in Siemens SIMATIC S7-1200 and S7-1500 CPU families could decrypt information such as passwords and gain full control of the programmable logic controller (PLC) allowing them to perform the following actions:

  1. Connect to the PLC
  2. Change the PLC’s configuration
  3. Upload ladder logic to the PLC
  4. Change PLC mode

Attacks abusing this vulnerability will display normal behaviors and connections to devices, similar to authorized network and device administrators.  



Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices.

Microsoft Defender for IoT researchers encourage you to review the implementation of devices and software included in the November Threat Intelligence package and to patch devices when relevant to reduce your attack surface.


For customers affected by CVE-2022-38465, Microsoft strongly recommends following the mitigation guidelines published by Siemens. To download the firmware updates for S7-1200 directly, please click here, and for S7-1500, click here.  Simatic S7-1200 models with firmware versions below v4.5 and S7-1500 models with firmware version below v2.9.2 need to be updated according to the mitigation guidelines. Microsoft Defender for IoT detects suspicious activity on devices by detecting unauthorized PLC activity and connections to unfamiliar and unauthorized IP addresses.


Customers interested in identifying which devices may currently be vulnerable to exploitation by threat actors, should access their inventory in Microsoft Defender for IoT. The inventory contains the list of devices according to model and firmware version.

For more information about these CVEs or your security posture, please contact us.



Update your system with the latest TI package

The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. 




MD5 Hash - 8e9e339b2b8f55af1e2e3b01c87cfbd7


For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.  


0 Replies