(Updated 21-DEC) Security Advisory - Apache Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
Microsoft is investigating the remote code execution vulnerability related to Apache Log4j (a logging tool used by many Java-based applications) disclosed on 9 Dec 2021. Mitre has designated this vulnerability as CVE-2021-44228 with a severity rating of 10.0. This was followed by vulnerabilities disclosed on Dec 14 th 2021 (CVE-2021-45046) potentially affecting non-standard configurations and Dec 16 th 2021 (CVE-2021-45105). For the latest status of Microsoft’s investigation, please see Microsoft’s Response to CVE-2021-4428 Apache Log4j 2. This advisory will continue to be updated as new information becomes available. (Last Updated 21-DEC-2021) The advisory was updated to reflect that version 10.5.5 has been released with the latest Apache Log4j 2.17.0 and validated to mitigate CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. We strongly recommend our customers implement the following mitigation steps based on an internal analysis of possible attack vectors. Mitigation Guidance for Microsoft Defender for IoT For Defender for IoT security appliances (OT network sensors and on-premises management console): Deploy the latest software release As of version 10.5.4, all components that were affected by CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 have been upgraded and secured. Customers are strongly encouraged to apply this update as soon as possible. Manual Workaround The workarounds described below will mitigate CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105, and can be used until upgrading to version 10.5.4 or above. > OT Network Sensor Using SSH, login as an administrator with full privileges. Execute the following: echo "find /var/cyberx/components/ -name \"start.sh\" -exec grep -L Dlog4j2.formatMsgNoLookups=true {} \; | xargs -I '{}' sed -i '/java_args.append(\"-Dlog4j.configurationFile=.*)/a java_args.append(\"-Dlog4j2.formatMsgNoLookups=true\")' {} && sed -i 's/args = \[\x27java\x27, \x27-Dlog4j\.configurationFile=\/var\/cyberx\/properties\/log4j2-active-tool\.xml\x27, \x27-jar\x27,/args = \[\x27java\x27, \x27-Dlog4j\.configurationFile=\/var\/cyberx\/properties\/log4j2-active-tool\.xml\x27, \x27-Dlog4j2\.formatMsgNoLookups=true\x27, \x27-jar\x27,/' /usr/local/bin/cyberx-xsense-cip-query-controllers && monit restart all" | sudo at now + 1 minutes > On Premises Management Console Using SSH, login as an administrator with full privileges. Execute the following: echo "find /var/cyberx/components/ -name \"start.sh\" -exec grep -L Dlog4j2.formatMsgNoLookups=true {} \; | xargs -I '{}' sed -i '/java_args.append(\"-Dlog4j.configurationFile=.*)/a java_args.append(\"-Dlog4j2.formatMsgNoLookups=true\")' {} && monit restart all" | sudo at now + 1 minutes If you need further assistance Please open a support ticket to contact our support team. The Defender for IoT cloud service does not use log4j and is not vulnerable to any active attack vector caused by CVE-2021-44228 and CVE-2021-45046. Latest Threat Intelligence Update for Monitoring CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Microsoft has released a dedicated Threat Intelligence update package for detecting Log4j exploit attempts on the network (example below). The package is available for download from the Microsoft Defender for IoT portal (Click Updates, then Download file). MD5 Hash - 512081a7ce19e436c9ff7ed672024354 Update your system with the latest TI package: Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT. Working with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. Additionally, the package can be downloaded from the Microsoft Defender for IoT portal, under Updates: To update a package on a single sensor: Go to the Microsoft Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the sensor console. On the side menu, select System Settings. Select Threat Intelligence Data, and then select Update. Upload the new package. To update a package on multiple sensors simultaneously: Go to the Microsoft Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the management console. On the side menu, select System Settings. In the Sensor Engine Configuration section, select the sensors that should receive the updated packages. In the Select Threat Intelligence Data section, select the plus sign (+). Upload the package. For more information, please review Update threat intelligence data | Microsoft Docs For further information Follow the MSRC blog for more information, which is updated with information and protection details as they become available. For a more in-depth analysis of the vulnerability, exploitation, detections, and mitigations, consult the RiskIQ (acquired by Microsoft in August 2021) analysis. Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft Security Blog Log4j – Apache Log4j Security Vulnerabilities CVE - CVE-2021-44228 (mitre.org)
Azure Security Center for IoT Webinar
Interested in learning about Azure Security Center for IoT? Check out our upcoming webinar. Details and registration at https://aka.ms/ASCIoTWebinar. Azure Security Center for IoT is a new solution that allows organizations to easily protect their IoT deployments with threat protection driven by Microsoft’s unique threat intelligence. You can find more information about it at https://docs.microsoft.com/en-us/azure/asc-for-iot/overview. The webinar will take place on Monday, August 5, 2019 at 08:00 PT / 11:00 ET / 15:00 GMT. Afterward, the recording will be posted to https://aka.ms/ASCIoTRecordings. We hope you’ll join us!Webinar: Sentinel IT/OT Threat Monitoring
Join us on Thursday 28.7 for a webinar on Sentinel IT/OT Threat Monitoring with Defender for IoT solution. Learn how Defender for IoT's built-in integration with Sentinel helps bridge the gap between IT and OT security. Registration is now open , for July 28 There has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Microsoft Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Microsoft Sentinel (IT) alerting. This solution includes Workbooks and Analytics rules providing a guide OT detection and Analysis.
Microsoft Defender for IoT - New Release (OT v22.3.4)
Microsoft Defender for IoT is excited to announce a new major release of OT sensor version (22.3.4). To learn more, visit Defender for IoT Release Notes | Microsoft Docs Download links available at Defender for IoT Management Portal - Microsoft Azure. What's New? Service area Updates OT networks Version 22.3.4: Azure connectivity status shown on OT sensors MD5 Hash - f781734c1b8e2baf94f7a1fd6508df79 About Defender for IoT Microsoft Defender for IoT provides agentless, network-layer security, provides security for diverse industrial equipment, and interoperates with Microsoft Sentinel and other SOC tools. Continuous asset discovery, vulnerability management, and threat detection for Internet of Things (IoT) devices, operational technology (OT) and Industrial Control Systems (ICS) can be deployed on-premises or in Azure-connected environments.Azure Defender for IoT - Version 22.1.4 Release
Microsoft is excited to announce version 22.1.4 release of Azure Defender for IoT. To learn more, visit Azure Defender for IoT Release Notes | Microsoft Docs Download links available at Defender for IoT Management Portal - Microsoft Azure. What's New? Version 22.1.4 of Microsoft Defender for IoT delivers extended device inventory information on the Azure portal with extended data for the following fields: Description Tags Protocols Scanner Last Activity MD5 Hash - 1ed781cb82492dab1f35983ed331ca0a About Defender for IoT Azure Defender for IoT provides agentless, network-layer security, provides security for diverse industrial equipment, and interoperates with Azure Sentinel and other SOC tools. Continuous asset discovery, vulnerability management, and threat detection for Internet of Things (IoT) devices, operational technology (OT) and Industrial Control Systems (ICS) can be deployed on-premises or in Azure-connected environments.Take Azure Defender for IoT for a Spin
Intended audience: Security and OT engineering enthusiasts, looking to secure unmanaged critical networks used by IoT/OT devices such as Building Management Systems, Manufacturing, Critical Infrastructure and more! Introduction You’ve read the product materials and would like to get started with securing your IoT/OT network – in this blog post, we will focus on setting up a sensor on your critical networks - without impacting IoT/OT stability or performance (If you missed it, you can read more about the capabilities of Azure Defender for IoT here). The goal of this article is to guide you through setting up a sensor to demonstrate the value of the system, as well as a quick start for securing unmanaged IoT/OT devices. Try it now at no charge Try Azure Defender for IoT - This version includes the agentless security provided via the integration of CyberX, a Microsoft company, plus the ability to connect to Azure Sentinel. Preparing your environment Azure Defender for IoT monitors unmanaged devices that are used in Operational Technology (OT) environments such as manufacturing, building management systems (BMS), life sciences, energy and water utilities, oil & gas, and logistics. In the most basic configuration, Setting up your environment can be taken in 4 easy steps: 1. Setup a sensor The software for the sensor may be installed on physical servers or as a virtual machine. The sensor installation files can be downloaded from the Azure Defender for IoT portal, on the “Getting Started” -> “Network Sensor” tab. Log into your Azure Account and download the ISO installer for the sensor. Install the ISO from USB on a VM or physical server (see Hardware Guide and Installation Guide) Make sure to make a note of the administrative login credentials presented during the installation process. If your setup includes multiple sensors, you can also download the optional “On-Premises Management Console” which allows you to manage and monitor large sensor deployments. More on this in the Installation Guide, Chapter 8 2. Monitor a SPAN port The sensor implements non-invasive passive monitoring with Network Traffic Analysis (NTA) and Layer 7 Deep Packet Inspection (DPI) to extract detailed IoT/OT information in real-time, even across diverse automation equipment from all major OT suppliers such as: Rockwell Automation, Schneider Electric, GE, Emerson, Siemens, Honeywell, ABB, Yokogawa, etc. Locate a managed LAN switch connected to IoT/OT devices. These switches can typically be set up with monitoring ports (also called SPAN or mirror ports). Utilizing this technique, the sensor will passively monitor the OT network, without creating any traffic which might impact or risk devices on the network. Connect the monitoring port to the sensor’s monitoring interface (typically the first available ethernet card) For more information and configuration examples, see the Network Deployment Guide, Chapter 5 - “Traffic Monitoring.” 3. Register and Activate the Sensor Once the sensor has been connected to the monitor port – it will immediately begin to analyze the network traffic. The next step is to login to the sensor and activate it with an activation file available for your account, in the Azure Defender for IoT portal. Log into your Azure Account select the “Onboard” sensor button (underlined below): Next, fill in the sensor name and subscription details. The button for "cloud-connected" will optionally send alert information into IoT Hub and Sentinel for further analysis. If you have an air-gapped or completely on-premises implementation with no connection to the cloud, disable the "cloud-connected" button below before you generate your license. Download the activation file. This will be used in the next step to activate the sensor. Login to the sensor’s IP address, with the administrative credentials shown during the installation process. On the next screen – upload the activation file from the previous step. For more information and detailed steps, see the Onboarding Guide. 4. Start Exploring Now you’ve successfully installed your first sensor and you can start using the system – view the asset inventory, zoom in on the network map or generate a risk report. Conclusion Thank you for reading this blog post. There will be more blog posts to follow, which will enable you to get the best of out your system, which will include: what to do when malware is detected, connecting to Azure Sentinel, or simulating attack vectors, so please check back with us soon. Learn more with these educational resources: Watch our Ignite session showing how Azure Defender for IoT and Azure Sentinel are combined to investigate multistage attacks that cross IT/OT boundaries, using the TRITON attack on a petrochemical facility as an example. Watch our Tech Community webinar describing MITRE ATT&CK for ICS, an OT-focused version of the well-known MITRE ATT&CK framework originally developed for IT networks. Watch our SANS webinar featuring the head of Microsoft’s datacenter security program, about securing building automation systems using continuous OT security monitoring. Stay tuned for an upcoming webinar during which we’ll do a technical walkthrough of how to deploy and use Azure Defender for IoT. Troubleshooting No traffic is monitored on the sensor. Check that the monitoring port is connected to the correct ethernet port. Make sure the port is indeed a SPAN port by monitoring bandwidth on the port. For more troubleshooting, see the Network Setup Guide, Appendix 1 I cannot find a device in the Asset Inventory Make sure the device is connected to the network. Search for its MAC address in the Asset Inventory – if it is active, it will appear on the list.Latest Threat Intelligence (May 2022)
Microsoft has released the May 2022 Threat Intelligence update package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. MD5 Hash - 542b8cffe15b91d1c9bc5f9895f1fd2a This package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month). The current release includes detection rules and IOCs implemented by Section 52 security researchers for: Pipedream/Incontroller modular attack framework and toolkit. The custom tools enable threat actors to conduct automated attacks, search for devices on networks, and disrupt operations and access. For more information, please read the following the recent alert on APT Cyber Tools Targeting ICS/SCADA Devices. BlackCat/ALPHV ransomware. BlackCat operators use previously compromised credentials to gain access to systems, deploy malicious scripts and disable security features. The ransomware has affected over 60 entities worldwide. For detailed IOCs and mitigation guidelines, please see the FBI Flash report for more information. Industroyer2 malware. The Industroyer variant is self-contained and highly customizable, allowing threat actors to adapt the malware to specific devices on OT networks. Updated CVEs (CVEs provide a reference method for publicly known information security vulnerabilities and exposures) published over the last month and are available for reference on the MITRE site, in the National Vulnerability Database site (NVD) as well as IoT/OT specific ICS-CERT. Update your system with the latest TI package: Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT. Working with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. Additionally, the package can be downloaded from the Microsoft Defender for IoT portal, under Updates: To update a package on a single sensor: Go to the Microsoft Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the sensor console. On the side menu, select System Settings. Select Threat Intelligence Data, and then select Update. Upload the new package. To update a package on multiple sensors simultaneously: Go to the Microsoft Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the management console. On the side menu, select System Settings. In the Sensor Engine Configuration section, select the sensors that should receive the updated packages. In the Select Threat Intelligence Data section, select the plus sign (+). Upload the package. For more information, please review Update threat intelligence data | Microsoft DocsLatest Threat Intelligence (April 2022)
Microsoft has released the April 2022 Threat Intelligence update package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. MD5 Hash - 6efaddcd91b5d3094cb1dc61c35248fb This package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise) and indicators applicable to IoT/ICS/OT networks (published during the past month) including indicators for the the Trickbot IoT botnet. CVEs provide a reference method for publicly known information security vulnerabilities and exposures, and are available for reference on the MITRE site, in the National Vulnerability Database site (NVD) as well as IoT/OT specific ICS-CERT. Update your system with the latest TI package: Microsoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, click here for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT. Working with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the Defender for IoT portal by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. Additionally, the package can be downloaded from the Microsoft Defender for IoT portal, under Updates: To update a package on a single sensor: Go to the Microsoft Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the sensor console. On the side menu, select System Settings. Select Threat Intelligence Data, and then select Update. Upload the new package. To update a package on multiple sensors simultaneously: Go to the Microsoft Defender for IoT Updates page. Download and save the Threat Intelligence package. Sign into the management console. On the side menu, select System Settings. In the Sensor Engine Configuration section, select the sensors that should receive the updated packages. In the Select Threat Intelligence Data section, select the plus sign (+). Upload the package. For more information, please review Update threat intelligence data | Microsoft Docs
