OT & IoT
Security Blog
Learn More About OT & IoT Security and Visibility
OT & IoT Security Blog
Learn More About OT & IoT Security and Visibility
Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk
Nozomi Networks Labs discovered a vulnerability (tracked under CVE-2022-05-02, ICS-VU-638779, VU#473698) affecting the Domain Name System (DNS) implementation of all versions of uClibc and uClibc-ng, a popular C standard library in IoT products. The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.
Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
While Industroyer targets multiple IEC protocols, Industroyer2 is a standalone executable which exclusively targets IEC-104. Based on the analysis, it’s likely that the threat actor was in the network days before the attack and had a fairly complete understanding of security measures in the target environment, and that Industroyer2 was designed to be executed in a privileged environment with direct access to the target device.
Improving Airport Cybersecurity Starts with Visibility
Nozomi Networks is a founding partner in CISA’s expansion of the Joint Cyber Defense Collaborative (JCDC) to incorporate ICS security expertise.
Nozomi Networks Brings ICS Expertise to New CISA JCDC-ICS
Nozomi Networks is a founding partner in CISA’s expansion of the Joint Cyber Defense Collaborative (JCDC) to incorporate ICS security expertise.
New BotenaGo Variant Discovered by Nozomi Networks Labs
While the use of open-source programming languages has its benefits, attackers find it equally beneficial and have been utilizing Go to code malicious malware. Our research highlights a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices, which we have named Lillin scanner.
INCONTROLLER: Acting to Protect Customers from Unknown Threats
INCONTROLLER is believed to have been developed by a sophisticated nation state threat actor to maliciously manipulate ICS environments. The latest Nozomi Networks Threat Intelligence package includes YARA rules to detect the two supporting Windows-based INCONTROLLER tools.
Industroyer2 Targets Ukraine’s Electric Grid: How Companies Can Stay Protected and Resilient
In light of the attempted attack on Ukraine’s power grid with Industroyer2 malware, the safety and security of Nozomi Networks customers is our top priority. Our latest Threat Intelligence package provides Industroyer2 Indicators of Compromise (IoCs) that will detect and alert customers of any known activity linked to the malware.
Addressing Increasing Cyber Regulations – Nozomi Networks Co-Founds OT Cyber Coalition
Today we are proud to announce that Nozomi Networks has joined forces with an expert group of global cybersecurity leaders to launch the Operational Technology Cybersecurity Coalition. Nozomi Networks believes that when we put our customers’ best interest ahead of our...
Log4Shell: Nozomi Networks Continues to Improve Security for New Threats
In December 2021, as most people were looking forward to a quiet end of the year, Log4Shell, the vulnerability in the Apache Log4j logging utility, burst onto the scene. The combination of relatively easy remote code execution and widespread use of the Apache Log4j...
Addressing Cybersecurity Readiness for the Global Shipping Industry
Maritime ports, port facilities and vessel operations are increasingly seen as high value cybersecurity targets. Well-funded nation state actors pose a near-term threat, and risks to these operations can result in enormous losses as well as threaten large supply...
Answering the Call for Heightened Vigilance in the Face of Unknown Threats
With vendors leveraging increasingly advanced obfuscation and encryption techniques to protect the confidentiality of their code, finding vulnerabilities can be especially challenging. Another difficulty is the firmware itself becoming a challenge to reverse, if it was compiled for an obsolete architecture and commercial disassemblers can’t properly reconstruct it. The firmware in the Schneider Electric APC PDU is an example of such a code; it has been around for years and is compiled for an old and obsolete version of the Intel 80286, which prevents easy reading or inspection.
Reverse Engineering Obfuscated Firmware for Vulnerability Analysis
With vendors leveraging increasingly advanced obfuscation and encryption techniques to protect the confidentiality of their code, finding vulnerabilities can be especially challenging. Another difficulty is the firmware itself becoming a challenge to reverse, if it was compiled for an obsolete architecture and commercial disassemblers can’t properly reconstruct it. The firmware in the Schneider Electric APC PDU is an example of such a code; it has been around for years and is compiled for an old and obsolete version of the Intel 80286, which prevents easy reading or inspection.
Ukraine, Vermont Utility Cyberattacks Highlight Need for Robust ICS Security in 2017
2016 ended with reports of 2 electric utility organizations, on different sides of the world (Ukraine and Vermont), citing cyberattacks or cyber infections. Both incidents highlight that corporate computer infections can threaten power systems and the need for robust ICS security in 2017. This article highlights the steps involved in the watershed 2015 Ukraine utility cyberattack as it moved from IT to OT systems and suggests ways of improving threat detection and mitigation.
Web Interface Flaw Threatens Reliability of Cyber-Physical Systems
Today Nozomi Networks Labs announced the discovery & disclosure of a vulnerability in the web interface of the Schneider Electric Power Distribution Unit (PDU)-the APC AP7920B. Based on the flaw, about 10% of all desktop browsers worldwide could have been successfully leveraged to execute an attack.
Critical Log4Shell (Apache Log4j) Zero-Day Attack Analysis
An analysis of the Apache Log4j vulnerability and the architecture of zero-day exploits (CVE-2021-44228) from Nozomi Networks Labs.
Five New Vulnerabilities Disclosed in Patient Monitoring Systems
Nozomi Networks Labs discloses five vulnerabilities affecting attack surfaces on a Philips patient monitoring solution. Solutions from other vendors may have similar vulnerabilities.
The Long-range Disruption of Industrial IoT LoRaWAN Networks
The Nozomi Networks Labs team used drones to investigate attacks against a low-power radio frequency WAN technology widely used in industrial IoT networks.
Enhancing Threat Intelligence with the MITRE ATT&CK Framework
Billions of IoT devices are used in the industrial sector and threat actors are quickly evolving new malware focused on them. Don’t miss this analysis of the SBIDIOT IoT malware to learn how it communicates with targets and what types of commands it supports. Includes IOCs.
Firmware Security Research: Dahua Facial Recognition Station
To illustrate how we tackle the issue of firmware inspection, Nozomi Networks Labs selected a popular facial/thermal recognition camera and describes how to analyze the firmware in detail.
New Axis OS Security Research Aided by Transparent Design
Nozomi Networks Labs published three new vulnerabilities (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988) affecting multiple Axis devices. The transparent approach applied by Axis into security review allowed Labs to perform an immediate static analysis and verification of the vulnerabilities.
Extract Firmware from OT Devices for Vulnerability Research
One of the most challenging tasks for a cybersecurity researcher is getting access to the underlying file system in OT devices to do a full analysis of potential attack vectors. This blog describes techniques for extracting firmware directly from the hardware and reading the flash content, a critical skill in a structured research team.
BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs
Billions of IoT devices are used in the industrial sector and threat actors are quickly evolving new malware focused on them. Don’t miss this analysis of the SBIDIOT IoT malware to learn how it communicates with targets and what types of commands it supports. Includes IOCs.
New Annke Vulnerability Shows Risks of IoT Security Camera Systems
Nozomi Networks Labs has discovered a remote code execution vulnerability in the Annke N48PBB network video recorder. We urge network defenders to check their systems for the device, and apply the available patch immediately.
The Clever Use of Postdissectors to Analyze Layer 2 Protocols
Nozomi Networks Labs analyzes the Layer 2 protocol used by the RUGGEDCOM devices, focusing on how to instruct Wireshark to properly detect it and begin the dissection process.
New Research Uncovers 5 Vulnerabilities in Mitsubishi Safety PLCs
Vulnerabilities in Mitsubishi Safety PLCs were discovered by Nozomi Networks Labs. As no patches are available, we outline general mitigations that can be used to protect operational environments. The Nozomi Networks Threat Intelligence service also includes detection logic for these vulnerabilities.
ICS Security Lags Digitization in U.S. Oil and Gas Industry
A recently released study by the Ponemon Institute finds that 61% of oil and gas operators in the U.S. indicate that their organization’s ICS protection and security is inadequate. While the implementation of digitally connected industrial components is delivering business benefits, it has significantly increased cyber risk. Yet only 41% of companies continually monitor OT infrastructure to prioritize cyber threats and attacks.
Leonardo Partnership Boosts Critical Infrastructure Cyber Security
Power grids, transportation systems and other critical industrial infrastructure are the backbone of life – without them world economies would quickly come to a screeching halt. That’s why the partnership between global aerospace, defense and security leader Leonardo, and Nozomi Networks is more than just timely.
Nozomi Networks Integrates with Palo Alto Networks Next-Generation Firewall
Without comprehensive, real-time visibility of industrial control system (ICS) networks, devices and process status, protecting control networks from cyberattacks and avoiding operational disruptions is a serious challenge. Over the last half-decade, Nozomi Networks has built a successful reputation providing a solution to this very problem by offering a non-intrusive, real-time monitoring and threat detection solutionbuilt for ICS.
Now, Nozomi Networks has extended the utility and reach of Nozomi Networks Guardian through an integration with the Palo Alto Networks Next-Generation Firewall (NGFW). Find out why Nozomi Networks chose to integrate with this leading firewall and how the companies’ offerings work in tandem to help bridge the IT/OT gap.
Nozomi Networks Selected by FireEye for ICS Depth & Technical Excellence
Malware attacks like WannaCry, Dragonfly 2 and Industroyer have brought industrial cyber threats to the attention of corporate boards and governments around the world. As a result, CISOs and those responsible for critical infrastructure are demanding real, enterprise-grade OT security solutions. Many are reaching out to trusted partners in IT security, looking for help in securing their industrial control networks.
This is the driver behind our new partnership with FireEye. FireEye’s customers include more than 40% of the Forbes Global 2000 and they depend on FireEye to eliminate the complexity and burden of cyber security for them.
To help extend its ICS cyber security offerings, FireEye recently thoroughly analyzed the market for ICS network security monitoring solutions. We’re happy to announce today that our solution has been selected by FireEye to provide cyber security visibility and threat detection for industrial control systems. Find out why our technical excellence and ICS expertise stands out from the crowd.
Advance IT / ICS Cyber Security with Nozomi Networks and Fortinet
In the future, an organization’s cyber security strategy will largely be defined by how well both OT and IT networks can integrate to bring improved vigilance, visibility and protection. In today’s connected world this is more important than ever.
Recently, Nozomi Networks had the privilege of speaking at the 2017 Fortinet 361 event in Vienna, Austria, where IT / OT cyber resilience was a hot topic. I was pleased to discover that many attendees were interested in Fortinet’s commitment to OT (Operations Technology) and ICS (Industrial Control Systems) cyber security. They were also eager to learn how Nozomi Networks is helping Fortinet extend their security offering into the industrial realm with our technology.
If you’re interested in improving IT / ICS cyber security, read on to find out more about the synergetic partnership between Fortinet and Nozomi Networks, and how our products provide the critical ICS cyber security thread for Fortinet Security Fabric.
THE LATEST LABS BLOGS

Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
While Industroyer targets multiple IEC protocols, Industroyer2 is a standalone executable which exclusively targets IEC-104. Based on the analysis, it’s likely that the threat actor was in the network days before the attack and had a fairly complete understanding of security measures in the target environment, and that Industroyer2 was designed to be executed in a privileged environment with direct access to the target device.
New BotenaGo Variant Discovered by Nozomi Networks Labs
While the use of open-source programming languages has its benefits, attackers find it equally beneficial and have been utilizing Go to code malicious malware. Our research highlights a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices, which we have named Lillin scanner.
INCONTROLLER: Acting to Protect Customers from Unknown Threats
INCONTROLLER is believed to have been developed by a sophisticated nation state threat actor to maliciously manipulate ICS environments. The latest Nozomi Networks Threat Intelligence package includes YARA rules to detect the two supporting Windows-based INCONTROLLER tools.