Nozomi Networks Labs
Defending Critical Infrastructure Against Cyber Risk
Nozomi Networks Labs is dedicated to reducing cyber risk for the world’s industrial and critical infrastructure organizations. Through our cybersecurity research and collaboration with industry and institutions, we’re helping defend the operational systems that support everyday life.
Vulnerability Advisories
ThroughTek P2P protocol deobfuscation – CVE-2021-32934
The communication between ThroughTek servers, OEMs products embedding ThroughTek P2P library and client applications is obfuscated with a custom protocol that relies on an hardcoded key. By deobfuscating the protocol, is possible to access the cleartext content of the communication.
Mitsubishi Electric MELSEC iQ-R Series products – CVE-2021-20591
An attacker may prevent legitimate clients from connecting to an affected product by manipulating the link parameter or changing its state
Mitsubishi Electric recommends that users apply the suggested mitigation so an unauthorized user cannot stop the establishment of Ethernet communications between devices.
JTEKT TOYOPUC products – CVE-2021-27458
An attacker could prevent Ethernet communication from being established in the affected products by manipulating the link parameter or changing its state.
JTEKT Corporation recommends that users apply the suggested mitigation so an unauthorized user cannot stop the establishment of Ethernet communications between devices.
Labs Blogs
Firmware Security Research: Dahua Facial Recognition Station
To illustrate how we tackle the issue of firmware inspection, Nozomi Networks Labs selected a popular facial/thermal recognition camera and describes how to analyze the firmware in detail.
New Axis OS Security Research Aided by Transparent Design
Nozomi Networks Labs published three new vulnerabilities (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988) affecting multiple Axis devices. The transparent approach applied by Axis into security review allowed Labs to perform an immediate static analysis and verification of the vulnerabilities.
Extract Firmware from OT Devices for Vulnerability Research
One of the most challenging tasks for a cybersecurity researcher is getting access to the underlying file system in OT devices to do a full analysis of potential attack vectors. This blog describes techniques for extracting firmware directly from the hardware and reading the flash content, a critical skill in a structured research team.
Webinars & Podcasts
Investigating the Ransomware and IoT Vulnerabilities Landscape
Panelists: Ivan Speziale, Chris Grove
Date: July 27, 2021
Cybercrime continues to rise sharply as threat actors go after industrial targets that can be worth millions in ransomware payments. To help security defenders fight back, Nozomi Networks Labs will share insight from its new research into the current security landscape.
Insights on the Top OT/IoT Security Threats – How to Protect Your Operations
Panelists: Alessandro Di Pinto, Ivan Speziale, Chris Grove
Duration: 50+ minutes
To help you address accelerating OT/IoT security issues, the Nozomi Networks Labs team shares their new research findings on the top threats targeting critical infrastructure and industrial operations. Learn about the current OT/IoT threat landscape, supply chain threats to OT and IoT environments, ransomware risks, and how to protect your critical OT/IoT networks.
P2P Botnets: Following the Network Trail
Panelists: Ivan Speziale, Giannis Tsaraias, Chris Grove
Duration: 30+ minutes
To increase botnet resiliency, threat actors are now using a hybrid model, rather than a pure peer-to-peer one. While disrupting the malicious activity of P2P botnets can be challenges, there are proven strategies that can be follow when a specific network is affected. Learn about how P2P/hybrid botnets operate, how to spot botnet infections in your network, and the most effective ways to disrupt them.
Tools
Guardian Community Edition Assertions (Queries) for COVID-19 Cybersecurity
New assertions (queries) have been added to Guardian Community Edition to help with COVID-19-related cybersecurity challenges.
- Assertions for COVID-19 Network Indicators – Queries that check for communications with malicious IP addresses and URLs
- Assertions for Remote Access Monitoring – Queries that check the number of simultaneous remote connections and generate alerts if the number surpasses a threshold.
COVID-19 Malware: OT and IoT Threat Intelligence
To help your organization proactively detect and prevent COVID-19 themed cyberattacks, download our network indicators, ransomware and malware threat intelligence.
- COVID-19 themed Network Indicators – Network IOCs (Indicators of Compromise)
- COVID-19-Themed Ransomware Rules – Yara rules for detecting coronavirus ransomware
- COVID-19 Informer Malware Rules– Yara rules for detecting COVID-19 Informer malware
- COVID-19-Themed Hash – List of hashes that detect malicious files
- COVID-19 Chinoxy Backdoor Malware – SNORT rule for detecting network infection
URGENT/11 Nmap NSE Script for Detecting Vulnerabilities
- Our Nmap NSE script for detecting URGENT/11 vulnerabilities is a research tool for quickly checking industrial systems for vulnerable assets based on the version of VxWorks exposed within the FTP service.
- Due the fact that is not always possible to detect the running version, we recommend that industrial operators use full featured security products for effective vulnerability assessment.
Reports
OT/IoT Security Report July 2021: What You Need to Know to Fight Ransomware and IoT Vulnerabilities
Find out how to fight ransomware and IoT vulnerabilities with new insights and actionable recommendations from the Nozomi Networks Labs team.
OT/IoT Security Report February 2021: Supply Chain and Persistent Ransomware Attacks Reach New Heights
Find out how to protect your operations with new insight into top OT/IoT threats and vulnerabilities from the Nozomi Networks Labs team.
OT/IoT Security Report 2020: Rising IoT Botnets and Shifting Ransomware Escalate Enterprise Risk
Find out what Nozomi Networks security researchers have learned about rising IoT botnets, shifting ransomware, COVID-19 threats and top ICS vulnerabilities.
Research Projects
IEC 62351 Standards for Securing Power System Communications
IEC Working Group 15 (WG15) is developing technology standards for secure-by-design power systems. Labs contributes to the standards and has demonstrated how they can be used to identify hard-to-detect cyberattacks. Research from this effort was presented at Black Hat USA 2019.
GreyEnergy: Dissecting the Malware from Maldoc to Backdoor
The Labs team reverse engineered the GreyEnergy malicious document (maldoc) that leads to the installation of the malware (backdoor) on a victim’s network. Project outcomes include a report, multiple blogs and two free tools for security researchers.
TRITON: The First ICS Cyberattack on Safety Instrument Systems
TRITON is the first known cyberattack that directly interacted with a Safety Instrumented System (SIS). Labs reverse engineered the TriStation suite of software and delivered a report and two free tools for security researchers. This research was presented at Black Hat USA 2018.
Threat Intelligence
Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
© 2021 Nozomi Networks, Inc.
All Rights Reserved.