Nozomi Networks Labs

Defending Critical Infrastructure Against Cyber Risk

ABOUT LABS

Nozomi Networks Labs is dedicated to reducing cyber risk for the world’s industrial and critical infrastructure organizations.

Through our cyber security research, and collaboration with industry and institutions, we’re helping defend the industrial systems that support everyday life.

Collaborating to Reduce ICS Cyber Risk

Nozomi Networks Labs is working with a broad range of experts, industry leaders and institutions to improve industrial cyber security.

If you’d like to work together, we’d love to hear from you!

CLOSE

NEW SIEMENS SCALANCE X Switches – Advisory (ICSA-19-225-03) NCCIC ICS-CERT BLOG

Research Reports

GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis

by Nozomi Networks Labs | Feb 12, 2019

A comprehensive analysis of one the GreyEnergy malware’s infection techniques, a phishing email, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest reverse engineering is done on the packer. Two new tools were released to support further analysis of GreyEnergy.

DOWNLOAD

TRITON: The First ICS Cyber Attack on Safety Instrument Systems, Understanding the Malware, Its Communications and Its OT Payload

by Nozomi Networks Labs | Aug 8, 2018

How to turn an undocumented ICS device into malicious code, starting from creating a working system and followed by reverse engineering and malware analysis. While the TRITON malware attack failed to deliver a malevolent OT payload to the Triconex controller, our researchers succeeded. Two new tools were released to help the ICS community secure Triconex SIS.

DOWNLOAD

Tools

GreyEnergy Unpacker + Yara Module

by Nozomi Networks Labs | Feb 12, 2019

GreyEnergy Unpacker – automatically unpacks both the dropper and the backdoor and extracts them onto a disk
GreyEnergy Yara Module: – determines whether a file processed by Yara is the GreyEnergy packer or not

GITHUB

Radamsa Enhancement, Introducing PCAPNG Awareness

by Nozomi Networks Labs | Feb 1, 2019

Our contribution allows Radamsa to mutate PCAPNG files focusing only on the packets themselves, eliminating the bytes and data structures used by the PCAPNG format itself. It is useful for testing the robustness of protocol stacks, helping to improve the quality of OT-device software.

GITLAB

Tricotools

by Nozomi Networks Labs | Aug 8, 2018

TriStation Protocol Plug-in for Wireshark – facilitates seeing and comprehending TriStation communications and identifies hardware connected to the safety controller
Triconex Honeypot Tool – simulates SIS controllers on the network, useful for detecting reconnaissance scans and capture malicious payloads

GITHUB

Threat Advisories

SIEMENS SCALANCE X Switches – Advisory (ICSA-19-225-03)

by Nozomi Networks Labs | Aug 23, 2019

Successful exploitation of this vulnerability could cause a denial-of-service condition.

NCCIC ICS-CERT

Mitsubishi Electric MELSEC-Q Series Ethernet Module (ICSA-19-141-02)

by Nozomi Networks Labs | May 22, 2019

Successful exploitation of this vulnerability may render the device unresponsive, requiring a physical reset of the PLC (Programmable Logic Controller).

NCCIC ICS-CERT

Rockwell Automation CompactLogix 5370  (ICSA-19-120-01)

by Nozomi Networks Labs | Apr 30, 2019

Successful exploitation of these vulnerabilities could allow a remote attacker to render the web server unavailable and/or place the controller in a major non-recoverable faulted state (MNRF).

NCCIC ICS-CERT

Siemens SIMATIC S7 – Advisory (ICSA-18-317-05)

by Nozomi Networks Labs | Nov 13, 2018

Successful exploitation of this vulnerability could result in a denial-of-service condition that could result in a loss of availability of the affected device.

NCCIC ICS-CERT

Rockwell Automation RSLinx Classic – Advisory (ICSA-18-263-02)

by Nozomi Networks Labs | Sep 20, 2018

Successful exploitation of these vulnerabilities could crash the device being accessed or allow arbitrary code execution on the device.

NCCIC ICS-CERT

Emerson DeltaV DCS Workstations (ICSA-18-228-01)

by Nozomi Networks Labs | Aug 16, 2018

Successful exploitation of these vulnerabilities could allow arbitrary code execution, malware injection, or malware to spread to other workstations.

NCCIC ICS-CERT

Siemens SIMATIC STEP 7 and SIMATIC WinCC (Update A) – Advisory (ICSA-18-226-01)

by Nozomi Networks Labs | Aug 14, 2018

Successful exploitation of these vulnerabilities may allow an attacker with local file write access to manipulate files and cause a denial-of-service-condition, or execute code both on the manipulated installation as well as devices configured using the manipulated installation.

NCCIC ICS-CERT

GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi – Advisory (ICSA-18-137-01)

by Nozomi Networks Labs | May 17, 2018

Successful exploitation of this vulnerability could cause the device to reboot and change its state, causing the device to become unavailable.

NCCIC ICS-CERT

WAGO 750 Series – Advisory (ICSA-18-088-01)

by Nozomi Networks Labs | Mar 29, 2018

Successful exploitation of this vulnerability could allow a denial-of-service condition affecting the ability of the device to establish connections to commissioning and service software tools.

NCCIC ICS-CERT

Emerson ControlWave Micro Process Automation Controller- Advisory (ICSA-18-058-03)

by Nozomi Networks Labs | Feb 27, 2018

Exploitation may possibly cause a halt of Ethernet functionality, requiring a cold start to restore the system as well as communications related to ControlWave Designer access. This can possibly result in a loss of system availability and disruption in communications with other connected devices.

NCCIC ICS-CERT

Schneider Electric Modicon M340 PLC (Update A) – Advisory (ICSA-17-054-03)

by Nozomi Networks Labs | Feb 23, 2017

Successful exploitation of this vulnerability may render the device unresponsive requiring a physical reset of the PLC.

NCCIC ICS-CERT

Labs Blogs

New Switch Vulnerability Discovered by Nozomi Networks Labs

by Younes Dragoni and Alessandro Di Pinto | Aug 14, 2019

On August 13, 2019, the Siemens CERT Team issued an advisory (SSA-100232) concerning Siemens SCALANCE switch devices. This vulnerability was responsibly disclosed to Siemens CERT Team and CISA by Nozomi Networks Labs.

Learn more about our findings and gain a better understanding of the cyber risks of legacy devices.

An ICS Cyber Security Storm is Brewing: How to Prevent Staff Burnout

by Stefan Liversidge | Aug 13, 2019

Building cyber resiliency puts a lot of pressure on an organization’s security team. It requires specialized knowledge that takes time to develop, and there just aren’t enough skilled cyber experts to go around.

Which begs the question: are the limited number of security experts holding the front lines in danger of burnout – and what can we do about it?

Black Hat: The Future of Securing Power Grid Intelligent Devices

by Alessandro Di Pinto and Younes Dragoni | Aug 8, 2019

Today at Black Hat USA we’re presenting an innovative power grid cyber security solution that greatly improves monitoring of intelligent electronic devices (IEDs). Using the IEC 62351 standard for monitoring industrial networks, we demonstrate how four types of hard-to-detect attacks are readily identified.

What You Need to Know About LookBack Malware & How to Detect It

by Lauren Barraco | Aug 3, 2019

On August 1, security researchers at Proofpoint reported the details of spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network. Learn more about LookBack malware and how you can detect it.

Advances in Cyber Security for Electric Utilities: WG15 & Black Hat

by Moreno Carullo | Jun 19, 2019

As a passionate champion for secure-by-design power grid systems, I’ve been part of WG15, the group defining IEC 62351 standards to enable such systems, for years.

If you’d like to learn about the future of cyber security for electric utilities, I urge you to read this article. It also provides a sneak peek into our related (and groundbreaking!) talk about power system security at Black Hat USA 2019.

Nozomi Networks Labs Finds New Rockwell PLC Vulnerability

by Younes Dragoni | Apr 30, 2019

Today, the U.S. Department of Homeland Security issued ICS CERT Advisory (ICSA-19-120-01) concerning Rockwell Automation CompactLogix controllers. Nozomi Networks responsibly disclosed the vulnerability to CISA and Rockwell Automation. Read on to learn about our findings and gain a better understanding of the cyber risks of legacy devices.

Breaking Research: LockerGoga Ransomware Impacts Norsk Hydro

by Alessandro Di Pinto and Heather MacKenzie | Mar 19, 2019

It was reported today that Norsk Hydro has temporarily stopped aluminum production at several plants following an attack by the ransomware known as LockerGoga. Nozomi Networks Labs has conducted a preliminary evaluation of LockerGoga. Read on to learn about this ransomware and our research team’s assessment of it.

Nozomi Networks Labs Enhances Radamsa for Safer ICS Software

by Moreno Carullo | Mar 19, 2019

Nozomi Networks Labs is committed to conducting cyber security research that makes industrial organizations more secure. Our latest project involves enhancing Radamsa, an open source fuzzing tool for testing software.

Our new code makes it faster and easier to test devices that communicate over industrial networks, such as PLCs and RTUs, for security vulnerabilities.

Nozomi Networks Labs: Sharing Valuable ICS Cyber Security Research

by Moreno Carullo and Andrea Carcano | Mar 19, 2019

Over the past few years our company has been focused on product development and building our team, but we also began to contribute research to the ICS security community. Today we’re formally introducing Nozomi Networks Labs, whose goal is to help defend the industrial systems that support everyday life.

GreyEnergy Malware Research Paper: Maldoc to Backdoor

by Alessandro Di Pinto | Feb 12, 2019

When the GreyEnergy Advanced Persistent Threat (APT) was unveiled last year, I decided to put my reverse engineering skills to work and study one of its infection techniques.

Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.

IEC 62351 Standards for Securing Power System Communications

by Moreno Carullo | Jan 29, 2019

To help counter the growing concern about cyberattacks aiming to disrupt power systems, industrial experts have been working together in WG15. This group, part of IEC, is defining the standards known as IEC 62351, for secure-by-design power grids. As a member of WG 15 since 2015, I thought it might be helpful to inform you about these standards and provide an update on their status.

Analyzing the GreyEnergy Malware: from Maldoc to Backdoor

by Alessandro Di Pinto | Nov 20, 2018

GreyEnergy is an Advanced Persistent Threat (APT) which has been targeting industrial networks in Eastern European countries for several years. As a security analyst, I have studied the malware and provide a detailed description of how it works, from the moment that someone receives a phishing email, until the malware is installed in a PC. We also provide the GreyEnergy Unpacker, a free tool for other analysts to use for further analysis of this advanced persistent threat.

« Older Entries

Projects

IEC 62351 Standards for Securing Power System Communications

GreyEnergy: Dissecting the Malware from Maldoc to Backdoor

TRITON: The First ICS Cyber Attack on Safety Instrument Systems

OT ThreatFeed

Click to enlarge.

Curated and maintained by Nozomi Networks Labs, the OT ThreatFeed™ provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current ICS risks.

LEARN MORE

“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”

ANDREA CARCANO & MORENO CARULLO

Co-founders, Nozomi Networks