Nozomi Networks Labs
Defending Critical Infrastructure Against Cyber Risk
ABOUT LABS
Nozomi Networks Labs is dedicated to reducing cyber risk for the world’s industrial and critical infrastructure organizations.
Through our cyber security research, and collaboration with industry and institutions, we’re helping defend the industrial systems that support everyday life.
Collaborating to Reduce ICS Cyber Risk
Nozomi Networks Labs is working with a broad range of experts, industry leaders and institutions to improve industrial cyber security.
If you’d like to work together, we’d love to hear from you!
Threat Advisories
Schneider Electric Modicon Controllers (ICSA-20-016-01)
Successful exploitation of this vulnerability could cause a denial-of-service condition in the controller when reading specific memory blocks using Modbus TC, when writing specific physical memory blocks using Modbus TCP, and when reading data with invalid index using Modbus TCP.
SIEMENS SCALANCE X Switches – Advisory (ICSA-19-225-03)
Successful exploitation of this vulnerability could cause a denial-of-service condition.
Mitsubishi Electric MELSEC-Q Series Ethernet Module (ICSA-19-141-02)
Successful exploitation of this vulnerability may render the device unresponsive, requiring a physical reset of the PLC (Programmable Logic Controller).
Labs Blogs
URGENT/11 – New ICS Threat Signatures by Nozomi Networks Labs
A well-known RTOS (Real-Time Operating System), widely used in industrial sectors, is at risk from a series of 11 vulnerabilities dubbed URGENT/11.
Nozomi Networks Labs conducted research on the vulnerable devices and has released threat signatures for URGENT/11 that identify threats in typical industrial networks without generating high numbers of false positive alerts.
New Switch Vulnerability Discovered by Nozomi Networks Labs
On August 13, 2019, the Siemens CERT Team issued an advisory (SSA-100232) concerning Siemens SCALANCE switch devices. This vulnerability was responsibly disclosed to Siemens CERT Team and CISA by Nozomi Networks Labs.
Learn more about our findings and gain a better understanding of the cyber risks of legacy devices.
Black Hat: The Future of Securing Power Grid Intelligent Devices
Today at Black Hat USA we’re presenting an innovative power grid cyber security solution that greatly improves monitoring of intelligent electronic devices (IEDs).
Using the IEC 62351 standard for monitoring industrial networks, we demonstrate how four types of hard-to-detect attacks are readily identified.
Tools
URGENT/11 Nmap NSE Script for Detecting Vulnerabilities
- Our Nmap NSE script for detecting URGENT/11 vulnerabilities is a research tool for quickly checking industrial systems for vulnerable assets based on the version of VxWorks exposed within the FTP service.
- Due the fact that is not always possible to detect the running version, we recommend that industrial operators use full featured security products for effective vulnerability assessment.
GreyEnergy Unpacker + Yara Module
- GreyEnergy Unpacker – automatically unpacks both the dropper and the backdoor and extracts them onto a disk
- GreyEnergy Yara Module: – determines whether a file processed by Yara is the GreyEnergy packer or not
Radamsa Enhancement, Introducing PCAPNG Awareness
- Our contribution allows Radamsa to mutate PCAPNG files focusing only on the packets themselves, eliminating the bytes and data structures used by the PCAPNG format itself. It is useful for testing the robustness of protocol stacks, helping to improve the quality of OT-device software.
Reports
GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis
A comprehensive analysis of one the GreyEnergy malware’s infection techniques, a phishing email, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest reverse engineering is done on the packer. Two new tools were released to support further analysis of GreyEnergy.
TRITON: The First ICS Cyber Attack on Safety Instrument Systems, Understanding the Malware, Its Communications and Its OT Payload
How to turn an undocumented ICS device into malicious code, starting from creating a working system and followed by reverse engineering and malware analysis. While the TRITON malware attack failed to deliver a malevolent OT payload to the Triconex controller, our researchers succeeded. Two new tools were released to help the ICS community secure Triconex SIS.
Research Projects
IEC 62351 Standards for Securing Power System Communications
IEC Working Group 15 (WG15) is developing technology standards for secure-by-design power systems. Labs contributes to the standards and has demonstrated how they can be used to identify hard-to-detect cyberattacks. Research from this effort was presented at Black Hat USA 2019.
GreyEnergy: Dissecting the Malware from Maldoc to Backdoor
The Labs team reverse engineered the GreyEnergy malicious document (maldoc) that leads to the installation of the malware (backdoor) on a victim’s network. Project outcomes include a report, multiple blogs and two free tools for security researchers.
TRITON: The First ICS Cyber Attack on Safety Instrument Systems
TRITON is the first known cyberattack that directly interacted with a Safety Instrumented System (SIS). Labs reverse engineered the TriStation suite of software and delivered a report and two free tools for security researchers. This research was presented at Black Hat USA 2018.
OT ThreatFeed
Click to enlarge.
Curated and maintained by Nozomi Networks Labs, the OT ThreatFeed™ provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current ICS risks.
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
© 2019 Nozomi Networks, Inc.
All Rights Reserved.