Nozomi Networks Labs
Defending Critical Infrastructure Against Cyber Risk
Nozomi Networks Labs is dedicated to reducing cyber risk for the world’s industrial and critical infrastructure organizations. Through our cybersecurity research and collaboration with industry and institutions, we’re helping defend the operational systems that support everyday life.
Threat Advisories
Mitsubishi Electric Multiple Factory Automation Engineering Software Products – Advisory (ICSA-20-212-02)
Successful exploitation of this vulnerability may enable the reading of arbitrary files, cause a denial-of-service condition, and allow execution of a malicious binary.
Schneider Electric Modicon Controllers (ICSA-20-016-01)
Successful exploitation of this vulnerability could cause a denial-of-service condition in the controller when reading specific memory blocks using Modbus TC, when writing specific physical memory blocks using Modbus TCP, and when reading data with invalid index using Modbus TCP.
SIEMENS SCALANCE X Switches – Advisory (ICSA-19-225-03)
Successful exploitation of this vulnerability could cause a denial-of-service condition.
Labs Blogs
Overcoming the Challenges of Detecting P2P Botnets on Your Network
It can be challenging to disrupt the malicious activities of peer-to-peer (P2P) botnets. Find out how to protect your OT/IoT networks against them.
CISA-Sponsored CVE Program Grants Nozomi Networks CNA Status
Nozomi Networks is a CVE Numbering Authority (CNA). The CVE Program is the international standard for identifying and naming cybersecurity vulnerabilities.
Your Guide to the MITRE ATT&CK Framework for ICS
Learn how security teams can use details about adversary behavior and actions contained in the MITRE ATT&CK Framework for ICS to enhance their security strategies.
Webinars & Podcasts
P2P Botnets: Following the Network Trail
Panelists: Ivan Speziale, Giannis Tsaraias, Chris Grove
Wednesday November 4, 2020
8:00 am PDT | 11:00 am EDT | 17:00 CET
Duration: 30+ minutes
To increase botnet resiliency, threat actors are now using a hybrid model, rather than a pure peer-to-peer one. While disrupting the malicious activity of P2P botnets can be challenges, there are proven strategies that can be follow when a specific network is affected. Learn about how P2P/hybrid botnets operate, how to spot botnet infections in your network, and the most effective ways to disrupt them.
How to Use the MITRE ATT&CK Framework for ICS
Panelists: Yiannis Stavrou, Patrick Bedwell, Chris Grove
Duration: 30+ minutes
Learn how security teams can use the MITRE ATT&CK Framework for ICS to enhance their organization’s security strategies and policies. The framework uses threat modelling to classify malicious cybersecurity events against an OT environment, and is designed to describe the course of action an adversary might follow, and create a knowledge base of threat actor behaviors.
OT/IoT Security Report 2020
Panelists: Andrea Carcano, Alessandro Di Pinto, Ivan Speziale
Duration: 50 minutes
Learn about the most active threats seen in the first six months of 2020, including IoT malware, ransomware, and COVID-19-themed malware. Gain insight into their tactics, and get recommendations for securing your OT/IoT networks.
Tools
Guardian Community Edition Assertions (Queries) for COVID-19 Cybersecurity
New assertions (queries) have been added to Guardian Community Edition to help with COVID-19-related cybersecurity challenges.
- Assertions for COVID-19 Network Indicators – Queries that check for communications with malicious IP addresses and URLs
- Assertions for Remote Access Monitoring – Queries that check the number of simultaneous remote connections and generate alerts if the number surpasses a threshold.
COVID-19 Malware: OT and IoT Threat Intelligence
To help your organization proactively detect and prevent COVID-19 themed cyberattacks, download our network indicators, ransomware and malware threat intelligence.
- COVID-19 themed Network Indicators – Network IOCs (Indicators of Compromise)
- COVID-19-Themed Ransomware Rules – Yara rules for detecting coronavirus ransomware
- COVID-19 Informer Malware Rules– Yara rules for detecting COVID-19 Informer malware
- COVID-19-Themed Hash – List of hashes that detect malicious files
- COVID-19 Chinoxy Backdoor Malware – SNORT rule for detecting network infection
URGENT/11 Nmap NSE Script for Detecting Vulnerabilities
- Our Nmap NSE script for detecting URGENT/11 vulnerabilities is a research tool for quickly checking industrial systems for vulnerable assets based on the version of VxWorks exposed within the FTP service.
- Due the fact that is not always possible to detect the running version, we recommend that industrial operators use full featured security products for effective vulnerability assessment.
Reports
OT/IoT Security Report 2020: Rising IoT Botnets and Shifting Ransomware Escalate Enterprise Risk
Find out what Nozomi Networks security researchers have learned about rising IoT botnets, shifting ransomware, COVID-19 threats and top ICS vulnerabilities.
GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis
A comprehensive analysis of one the GreyEnergy malware’s infection techniques, a phishing email, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest reverse engineering is done on the packer. Two new tools were released to support further analysis of GreyEnergy.
TRITON: The First ICS Cyber Attack on Safety Instrument Systems, Understanding the Malware, Its Communications and Its OT Payload
How to turn an undocumented ICS device into malicious code, starting from creating a working system and followed by reverse engineering and malware analysis. While the TRITON malware attack failed to deliver a malevolent OT payload to the Triconex controller, our researchers succeeded. Two new tools were released to help the ICS community secure Triconex SIS.
Research Projects
IEC 62351 Standards for Securing Power System Communications
IEC Working Group 15 (WG15) is developing technology standards for secure-by-design power systems. Labs contributes to the standards and has demonstrated how they can be used to identify hard-to-detect cyberattacks. Research from this effort was presented at Black Hat USA 2019.
GreyEnergy: Dissecting the Malware from Maldoc to Backdoor
The Labs team reverse engineered the GreyEnergy malicious document (maldoc) that leads to the installation of the malware (backdoor) on a victim’s network. Project outcomes include a report, multiple blogs and two free tools for security researchers.
TRITON: The First ICS Cyber Attack on Safety Instrument Systems
TRITON is the first known cyberattack that directly interacted with a Safety Instrumented System (SIS). Labs reverse engineered the TriStation suite of software and delivered a report and two free tools for security researchers. This research was presented at Black Hat USA 2018.
Threat Intelligence
Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
© 2020 Nozomi Networks, Inc.
All Rights Reserved.