Nozomi Networks Labs
Defending Critical Infrastructure Against Cyber Risk
ABOUT LABS
Nozomi Networks Labs is dedicated to reducing cyber risk for the world’s industrial and critical infrastructure organizations.
Through our cyber security research, and collaboration with industry and institutions, we’re helping defend the industrial systems that support everyday life.
Collaborating to Reduce ICS Cyber Risk
Nozomi Networks Labs is working with a broad range of experts, industry leaders and institutions to improve industrial cyber security.
If you’d like to work together, we’d love to hear from you!
 Research Reports
GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis
A comprehensive analysis of one the GreyEnergy malware’s infection techniques, a phishing email, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest reverse engineering is done on the packer. Two new tools were released to support further analysis of GreyEnergy.
TRITON: The First ICS Cyber Attack on Safety Instrument Systems, Understanding the Malware, Its Communications and Its OT Payload
How to turn an undocumented ICS device into malicious code, starting from creating a working system and followed by reverse engineering and malware analysis. While the TRITON malware attack failed to deliver a malevolent OT payload to the Triconex controller, our researchers succeeded. Two new tools were released to help the ICS community secure Triconex SIS.
Tools
GreyEnergy Unpacker + Yara Module
- GreyEnergy Unpacker – automatically unpacks both the dropper and the backdoor and extracts them onto a disk
- GreyEnergy Yara Module: – determines whether a file processed by Yara is the GreyEnergy packer or not
Radamsa Enhancement, Introducing PCAPNG Awareness
- Our contribution allows Radamsa to mutate PCAPNG files focusing only on the packets themselves, eliminating the bytes and data structures used by the PCAPNG format itself. It is useful for testing the robustness of protocol stacks, helping to improve the quality of OT-device software.
Tricotools
- TriStation Protocol Plug-in for Wireshark – facilitates seeing and comprehending TriStation communications and identifies hardware connected to the safety controller
- Triconex Honeypot Tool – simulates SIS controllers on the network, useful for detecting reconnaissance scans and capture malicious payloads
Threat Advisories
Siemens SIMATIC S7 – Advisory (ICSA-18-317-05)
Successful exploitation of this vulnerability could result in a denial-of-service condition that could result in a loss of availability of the affected device.
Rockwell Automation RSLinx Classic – Advisory (ICSA-18-263-02)
Successful exploitation of these vulnerabilities could crash the device being accessed or allow arbitrary code execution on the device.
Emerson DeltaV DCS Workstations (ICSA-18-228-01)
Successful exploitation of these vulnerabilities could allow arbitrary code execution, malware injection, or malware to spread to other workstations.
Siemens SIMATIC STEP 7 and SIMATIC WinCC (Update A) – Advisory (ICSA-18-226-01)
Successful exploitation of these vulnerabilities may allow an attacker with local file write access to manipulate files and cause a denial-of-service-condition, or execute code both on the manipulated installation as well as devices configured using the manipulated installation.
GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi – Advisory (ICSA-18-137-01)
Successful exploitation of this vulnerability could cause the device to reboot and change its state, causing the device to become unavailable.
WAGO 750 Series – Advisory (ICSA-18-088-01)
Successful exploitation of this vulnerability could allow a denial-of-service condition affecting the ability of the device to establish connections to commissioning and service software tools.
Emerson ControlWave Micro Process Automation Controller- Advisory (ICSA-18-058-03)
Exploitation may possibly cause a halt of Ethernet functionality, requiring a cold start to restore the system as well as communications related to ControlWave Designer access. This can possibly result in a loss of system availability and disruption in communications with other connected devices.
Schneider Electric Modicon M340 PLC (Update A) – Advisory (ICSA-17-054-03)
Successful exploitation of this vulnerability may render the device unresponsive requiring a physical reset of the PLC.
Labs Blogs
Breaking Research: LockerGoga Ransomware Impacts Norsk Hydro
It was reported today that Norsk Hydro has temporarily stopped aluminum production at several plants following an attack by the ransomware known as LockerGoga.
Nozomi Networks Labs has conducted a preliminary evaluation of LockerGoga. Read on to learn about this ransomware and our research team’s assessment of it.
read moreNozomi Networks Labs Enhances Radamsa for Safer ICS Software
Nozomi Networks Labs is committed to conducting cyber security research that makes industrial organizations more secure. Our latest project involves enhancing Radamsa, an open source fuzzing tool for testing software.
Our new code makes it faster and easier to test devices that communicate over industrial networks, such as PLCs and RTUs, for security vulnerabilities.
read moreNozomi Networks Labs: Sharing Valuable ICS Cyber Security Research
Over the past few years our company has been focused on product development and building our team, but we also began to contribute research to the ICS security community.
Today we’re formally introducing Nozomi Networks Labs, whose goal is to help defend the industrial systems that support everyday life.
read moreGreyEnergy Malware Research Paper: Maldoc to Backdoor
When the GreyEnergy Advanced Persistent Threat (APT) was unveiled last year, I decided to put my reverse engineering skills to work and study one of its infection techniques.
Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.
read moreIEC 62351 Standards for Securing Power System Communications
To help counter the growing concern about cyberattacks aiming to disrupt power systems, industrial experts have been working together in WG15. This group, part of IEC, is defining the standards known as IEC 62351, for secure-by-design power grids.
As a member of WG 15 since 2015, I thought it might be helpful to inform you about these standards and provide an update on their status.
read moreAnalyzing the GreyEnergy Malware: from Maldoc to Backdoor
GreyEnergy is an Advanced Persistent Threat (APT) which has been targeting industrial networks in Eastern European countries for several years.
As a security analyst, I have studied the malware and provide a detailed description of how it works, from the moment that someone receives a phishing email, until the malware is installed in a PC. We also provide the GreyEnergy Unpacker, a free tool for other analysts to use for further analysis of this advanced persistent threat.
read moreGreyEnergy Malware Targets Industrial Critical Infrastructure
Recently a new advanced threat targeting the energy sector was disclosed. Called GreyEnergy, this malware is the successor to BlackEnergy, which brought down part of the Ukraine power grid in 2015.
Because of the significance of the malware, our Nozomi Networks Security Research team is evaluating it. Find out what is known about the malware to date.
Open Source Software Exposes ICS Device Vulnerabilities to Hackers
It’s disturbing to think that disruption and damage to our critical infrastructure can happen by simply combining the use of OSS tools with malicious intent. Fortunately, those same tools are being used by ICS security researchers around the world to increase industrial control systems cyber security.
Read on to learn why transportation, communications, energy and emergency services are so exposed, and what’s being done to close the ICS cyber security gap.
read moreBlack Hat: Understanding TRITON, The First SIS Cyber Attack
Today at Black Hat USA I am part of a team speaking about the landmark TRITON malware attack. We are presenting new research on TRITON, releasing two tools to help defend against it and publishing a white paper summarizing our findings.
The TRITON malware attack went beyond other industrial cyber attacks by directly interacting with a Safety Instrumented System (SIS). Asset owners should act immediately to secure their SIS — and the information in our white paper will help.
read moreNew TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol
In 2017, TRITON malware was used to attack a gas facility, directly interacting with its Safety Instrumented System (SIS). Given the significance of this attack, Nozomi Networks conducted research to better understand how TRITON works.
Today we released a Wireshark dissector for the TriStation protocol on GitHub to help the ICS community understand SIS communications. Our complete TRITON analysis will be presented at Black Hat USA 2018.
read moreNew TRITON ICS Malware is Bold and Important
FireEye has reported that it has recently worked with an industrial operator whose facility was attacked by a new type of ICS malware, which they are calling TRITON. The attack reprogrammed a facility’s Safety Instrumented System (SIS) controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process.
The TRITON attack is bold and notable because it is the first known industrial control system (ICS) attack that has targeted and impacted not just an ICS, but SIS equipment. Fortunately, because of the unique nature of how each plant implements its SIS and overall safety measures, the malware is not readily scalable.
read moreBad Rabbit Highlights Employees’ Role in Cyber Security Attacks
Recently reports of a new ransomware malware known as Bad Rabbit was making headlines in the press. A suspected variant of NotPetya, Bad Rabbit spread quickly through IT networks in Europe and elsewhere.
Our research indicates that while Bad Rabbit infections started to be reported in late October, the group behind the attacks started creating an “infection-network” in July. While not reported as impacting industrial systems, industrial operators should take note of this attack and what it means for their cyber resiliency programs.
Projects
OT ThreatFeed
Click to enlarge.
Curated and maintained by Nozomi Networks Labs, the OT ThreatFeed™ provides threat and vulnerability updates to SCADAguardian™ and SCADAguardian Advanced™, making it easy for IT/OT professionals to stay on top of current ICS risks.
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
ANDREA CARCANO & MORENO CARULLO
© 2019 Nozomi Networks, Inc.
All Rights Reserved.