Nozomi Networks Labs
Labs Blogs
Labs Blogs
CISA-Sponsored CVE Program Grants Nozomi Networks CNA Status
Nozomi Networks is a CVE Numbering Authority (CNA). The CVE Program is the international standard for identifying and naming cybersecurity vulnerabilities.
Your Guide to the MITRE ATT&CK Framework for ICS
Learn how security teams can use details about adversary behavior and actions contained in the MITRE ATT&CK Framework for ICS to enhance their security strategies.
What IT Needs to Know about OT/IoT Security Threats in 2020
Find out what IT needs to know about OT/IoT security in 2020, including the most active threats, their techniques and recommendations for mitigations.
Enhanced Product Security Incident Response Reduces Customer Risk
Our Product Security Incident Response Team (PSIRT) contacts and security bulletins are now public, as part of our commitment to customer security.
Ripple20 – New Zero-Day Vulnerabilities Send Shockwaves Across IoT
Two things make Ripple20 IT/OT/IoT vulnerabilities especially concerning: the potential impact that can be achieved by their exploitation, and the difficulty of finding and tracking all instances of the vulnerable library.
IEC 61850 Meets IEC 62351: Securing GOOSE Power Grid Weaknesses
Nozomi Networks CTO Moreno Carullo explains how IEC 62351-6 can be used to secure IEC 61850 GOOSE protocol defects & increase ICS security for substations.
Dark Nexus IoT Botnet: Analyzing and Detecting its Network Activity
Dark Nexus is an IoT botnet that uses DDoS attacks for financial gain. Nozomi Networks security researchers have analyzed its network behavior.
COVID-19 Chinoxy Backdoor: A Network Perspective
A prolific threat actor, active in Asia, sends documents to people in Kyrgyzstan about how the United Nations is helping to fight COVID-19.
Nozomi Networks Labs examines how network traffic analysis can detect this specific threat.
OT/IoT Security Superheroes: Tackling the Remote Employee Challenge
While the world is grappling with the COVID-19 pandemic, nation-state and other threat actors are capitalizing on the climate of fear, uncertainty and doubt to find OT and IoT security gaps and orchestrate new cyberattacks.
COVID-19 (coronavirus) Malware: New OT and IoT Security Tools
While the world is grappling with the COVID-19 pandemic, nation-state and other threat actors are capitalizing on the climate of fear, uncertainty and doubt to find OT and IoT security gaps and orchestrate new cyberattacks.
Act Now on Critical Microsoft SMB Vulnerability (CVE-2020-0796)
On March 10th, Microsoft published a security advisory of critical severity for CVE-2020-0796, which is a remote code execution vulnerability affecting the Microsoft Server Message Block 3.1.1 (SMBv3).
Recent Ransomware Threatens OT Security, Reputation and GDPR Fines
Last week we reported that a new wave of ransomware is threatening OT security. The Snake file encrypting ransomware, for example, includes code that has the explicit goal of causing process disruption.
New Wave of Ransomware Threatens OT Security and Reliability
A new development in malware threats is ransomware that threatens OT security and aims to disrupt OT systems. For example, recently we wrote about the Snake file encrypting ransomware, which was similar to the preceding Megacortex malware. Both threats include code...
Snake Ransomware is Raising Concerns for Industrial Controls Systems
A recently discovered file-encrypting ransomware is raising concerns for industrial control system (ICS) operators.
Read on to learn what we now know about the Snake ransomware, and our recommendations for protecting your ICS systems.
URGENT/11 – New ICS Threat Signatures by Nozomi Networks Labs
A well-known RTOS (Real-Time Operating System), widely used in industrial sectors, is at risk from a series of 11 vulnerabilities dubbed URGENT/11.
Nozomi Networks Labs conducted research on the vulnerable devices and has released threat signatures for URGENT/11 that identify threats in typical industrial networks without generating high numbers of false positive alerts.
New Switch Vulnerability Discovered by Nozomi Networks Labs
On August 13, 2019, the Siemens CERT Team issued an advisory (SSA-100232) concerning Siemens SCALANCE switch devices. This vulnerability was responsibly disclosed to Siemens CERT Team and CISA by Nozomi Networks Labs.
Learn more about our findings and gain a better understanding of the cyber risks of legacy devices.
Black Hat: The Future of Securing Power Grid Intelligent Devices
Today at Black Hat USA we’re presenting an innovative power grid cyber security solution that greatly improves monitoring of intelligent electronic devices (IEDs).
Using the IEC 62351 standard for monitoring industrial networks, we demonstrate how four types of hard-to-detect attacks are readily identified.
What You Need to Know About LookBack Malware & How to Detect It
On August 1, security researchers at Proofpoint reported the details of spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.
Learn more about LookBack malware and how you can detect it.
Advances in Cyber Security for Electric Utilities: WG15 & Black Hat
As a passionate champion for secure-by-design power grid systems, I’ve been part of WG15, the group defining IEC 62351 standards to enable such systems, for years.
If you’d like to learn about the future of cyber security for electric utilities, I urge you to read this article. It also provides a sneak peek into our related (and groundbreaking!) talk about power system security at Black Hat USA 2019.
Nozomi Networks Labs Finds New Rockwell PLC Vulnerability
Today, the U.S. Department of Homeland Security issued ICS CERT Advisory (ICSA-19-120-01) concerning Rockwell Automation CompactLogix controllers.
Nozomi Networks responsibly disclosed the vulnerability to CISA and Rockwell Automation.
Read on to learn about our findings and gain a better understanding of the cyber risks of legacy devices.
Breaking Research: LockerGoga Ransomware Impacts Norsk Hydro
It was reported today that Norsk Hydro has temporarily stopped aluminum production at several plants following an attack by the ransomware known as LockerGoga.
Nozomi Networks Labs has conducted a preliminary evaluation of LockerGoga. Read on to learn about this ransomware and our research team’s assessment of it.
Nozomi Networks Labs Enhances Radamsa for Safer ICS Software
Nozomi Networks Labs is committed to conducting cyber security research that makes industrial organizations more secure. Our latest project involves enhancing Radamsa, an open source fuzzing tool for testing software.
Our new code makes it faster and easier to test devices that communicate over industrial networks, such as PLCs and RTUs, for security vulnerabilities.
Nozomi Networks Labs: Sharing Valuable ICS Cybersecurity Research
Over the past few years our company has been focused on product development and building our team, but we also began to contribute research to the ICS security community.
Today we’re formally introducing Nozomi Networks Labs, whose goal is to help defend the industrial systems that support everyday life.
GreyEnergy Malware Research Paper: Maldoc to Backdoor
When the GreyEnergy Advanced Persistent Threat (APT) was unveiled last year, I decided to put my reverse engineering skills to work and study one of its infection techniques.
Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.
IEC 62351 Standards for Securing Power System Communications
To help counter the growing concern about cyberattacks aiming to disrupt power systems, industrial experts have been working together in WG15. This group, part of IEC, is defining the standards known as IEC 62351, for secure-by-design power grids.
As a member of WG 15 since 2015, I thought it might be helpful to inform you about these standards and provide an update on their status.
Analyzing the GreyEnergy Malware: from Maldoc to Backdoor
GreyEnergy is an Advanced Persistent Threat (APT) which has been targeting industrial networks in Eastern European countries for several years.
As a security analyst, I have studied the malware and provide a detailed description of how it works, from the moment that someone receives a phishing email, until the malware is installed in a PC. We also provide the GreyEnergy Unpacker, a free tool for other analysts to use for further analysis of this advanced persistent threat.
GreyEnergy Malware Targets Industrial Critical Infrastructure
Recently a new advanced threat targeting the energy sector was disclosed. Called GreyEnergy, this malware is the successor to BlackEnergy, which brought down part of the Ukraine power grid in 2015.
Because of the significance of the malware, our Nozomi Networks Security Research team is evaluating it. Find out what is known about the malware to date.
Open Source Software Exposes ICS Device Vulnerabilities to Hackers
It’s disturbing to think that disruption and damage to our critical infrastructure can happen by simply combining the use of OSS tools with malicious intent. Fortunately, those same tools are being used by ICS security researchers around the world to increase industrial control systems cyber security.
Read on to learn why transportation, communications, energy and emergency services are so exposed, and what’s being done to close the ICS cyber security gap.
Black Hat: Understanding TRITON, The First SIS Cyber Attack
Today at Black Hat USA I am part of a team speaking about the landmark TRITON malware attack. We are presenting new research on TRITON, releasing two tools to help defend against it and publishing a white paper summarizing our findings.
The TRITON malware attack went beyond other industrial cyber attacks by directly interacting with a Safety Instrumented System (SIS). Asset owners should act immediately to secure their SIS — and the information in our white paper will help.
New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol
In 2017, TRITON malware was used to attack a gas facility, directly interacting with its Safety Instrumented System (SIS). Given the significance of this attack, Nozomi Networks conducted research to better understand how TRITON works.
Today we released a Wireshark dissector for the TriStation protocol on GitHub to help the ICS community understand SIS communications. Our complete TRITON analysis will be presented at Black Hat USA 2018.
New TRITON ICS Malware is Bold and Important
FireEye has reported that it has recently worked with an industrial operator whose facility was attacked by a new type of ICS malware, which they are calling TRITON. The attack reprogrammed a facility’s Safety Instrumented System (SIS) controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process.
The TRITON attack is bold and notable because it is the first known industrial control system (ICS) attack that has targeted and impacted not just an ICS, but SIS equipment. Fortunately, because of the unique nature of how each plant implements its SIS and overall safety measures, the malware is not readily scalable.
Bad Rabbit Highlights Employees’ Role in Cyber Security Attacks
Recently reports of a new ransomware malware known as Bad Rabbit was making headlines in the press. A suspected variant of NotPetya, Bad Rabbit spread quickly through IT networks in Europe and elsewhere.
Our research indicates that while Bad Rabbit infections started to be reported in late October, the group behind the attacks started creating an “infection-network” in July. While not reported as impacting industrial systems, industrial operators should take note of this attack and what it means for their cyber resiliency programs.
Advancing IEC Standards for Power Grid Cyber Security
Last week Nozomi Networks had the privilege of hosting the first WG15 meeting of 2017. This group is responsible for establishing end-to-end cyber security standards for the world’s power system communication protocols. Read on to learn more about WG15 and how we advanced standards for encrypted communications for the power grids of the future.
Threat Intelligence
Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
Threat Advisories | Labs Blogs | Webinars & Podcasts | Tools | Reports | Research Projects
© 2020 Nozomi Networks, Inc.
All Rights Reserved.