Nozomi Networks Labs
Defending Critical Infrastructure Against Cyber Risk
Nozomi Networks Labs is dedicated to reducing cyber risk for the world’s industrial and critical infrastructure organizations.
Through our cyber security research, and collaboration with industry and institutions, we’re helping defend the industrial systems that support everyday life.
Collaborating to Reduce ICS Cyber Risk
Nozomi Networks Labs is working with a broad range of experts, industry leaders and institutions to improve industrial cyber security.
If you’d like to work together, we’d love to hear from you!
GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis
A comprehensive analysis of one the GreyEnergy malware’s infection techniques, a phishing email, from the maldoc, to the custom packer and the final dropper (backdoor). The deepest reverse engineering is done on the packer. Two new tools were released to support further analysis of GreyEnergy.
TRITON: The First ICS Cyber Attack on Safety Instrument Systems, Understanding the Malware, Its Communications and Its OT Payload
How to turn an undocumented ICS device into malicious code, starting from creating a working system and followed by reverse engineering and malware analysis. While the TRITON malware attack failed to deliver a malevolent OT payload to the Triconex controller, our researchers succeeded. Two new tools were released to help the ICS community secure Triconex SIS.
- Our contribution allows Radamsa to mutate PCAPNG files focusing only on the packets themselves, eliminating the bytes and data structures used by the PCAPNG format itself. It is useful for testing the robustness of protocol stacks, helping to improve the quality of OT-device software.
- TriStation Protocol Plug-in for Wireshark – facilitates seeing and comprehending TriStation communications and identifies hardware connected to the safety controller
- Triconex Honeypot Tool – simulates SIS controllers on the network, useful for detecting reconnaissance scans and capture malicious payloads
Successful exploitation of this vulnerability could cause a denial-of-service condition.
Successful exploitation of this vulnerability may render the device unresponsive, requiring a physical reset of the PLC (Programmable Logic Controller).
Successful exploitation of these vulnerabilities could allow a remote attacker to render the web server unavailable and/or place the controller in a major non-recoverable faulted state (MNRF).
Successful exploitation of this vulnerability could result in a denial-of-service condition that could result in a loss of availability of the affected device.
Successful exploitation of these vulnerabilities could crash the device being accessed or allow arbitrary code execution on the device.
Successful exploitation of these vulnerabilities could allow arbitrary code execution, malware injection, or malware to spread to other workstations.
Successful exploitation of these vulnerabilities may allow an attacker with local file write access to manipulate files and cause a denial-of-service-condition, or execute code both on the manipulated installation as well as devices configured using the manipulated installation.
GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi – Advisory (ICSA-18-137-01)
Successful exploitation of this vulnerability could cause the device to reboot and change its state, causing the device to become unavailable.
Successful exploitation of this vulnerability could allow a denial-of-service condition affecting the ability of the device to establish connections to commissioning and service software tools.
Exploitation may possibly cause a halt of Ethernet functionality, requiring a cold start to restore the system as well as communications related to ControlWave Designer access. This can possibly result in a loss of system availability and disruption in communications with other connected devices.
Successful exploitation of this vulnerability may render the device unresponsive requiring a physical reset of the PLC.
Learn more about our findings and gain a better understanding of the cyber risks of legacy devices.
Which begs the question: are the limited number of security experts holding the front lines in danger of burnout – and what can we do about it?
If you’d like to learn about the future of cyber security for electric utilities, I urge you to read this article. It also provides a sneak peek into our related (and groundbreaking!) talk about power system security at Black Hat USA 2019.
Our new code makes it faster and easier to test devices that communicate over industrial networks, such as PLCs and RTUs, for security vulnerabilities.
Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
© 2019 Nozomi Networks, Inc.
All Rights Reserved.