Select Page

Nozomi Networks Labs

Labs Blogs

Labs Blogs

Automatic Restoration of Corrupted UPX-packed Samples

In this blog, we share a tool (available on Git Hub) that can automatically fix various types of tampered UPX-packed files so that they become easily unpackable using standard UPX functionality. This first version of the tool focuses on handling Executable and Linkable Format (ELF) files compiled for various popular Reduced Instruction Set Computer (RISC) architectures commonly used by IoT devices, namely x86, x86-64, PowerPC, ARM, and MIPS. We will then evaluate its efficacy by using a set of samples collected using our global chain of IoT honeypots.

read more

Hardware Supply Chain Compromise in Human Interface Devices: Nozomi Networks + Hydro Québec Joint Research

Compromised Human Interface Devices (HID) such as a mouse, keyboard, or other USBs, which can be found in offices or industrial environments, can be adapted to perform physical attacks. Imagine the cyber-physical effect of an insider plugging a compromised keyboard/mouse into a workstation or Human Machine Interface (HMI). With the aim of setting up a proof of concept, Nozomi Networks and the Hydro-Québec Research Institute (IREQ) will explain how to detect, notify, and recommend proper countermeasures around compromised hardware devices.

read more

Nozomi Networks Researchers Reveal Zero-Day RTLS Vulnerabilities at Black Hat 22

Last week Nozomi Networks Labs attended Black Hat 22 in Las Vegas to present zero-day vulnerabilities found in Ultra-wideband (UWB) Real-time Locating Systems (RTLS). Security Researchers Andrea Palanca and Luca Cremona, along with Security Research Evangelist Roya Gordon, presented the findings discovered by Palanca and Cremona, on Wednesday August 10th at 4:20 pm PST. This was the first time these vulnerabilities were revealed to an audience.

read more

Vulnerability in Dahua’s ONVIF Implementation Threatens IP Camera Security

We’re publishing the details of a new vulnerability (tracked under CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in some IP cameras developed by Dahua, a very popular manufacturer of IP-based surveillance solutions. This vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.

read more

Nozomi Networks Discovers Vulnerability in Siemens Building Automation Software

Recently, we had the opportunity to do a security analysis of the Siemens PXC4.E16, a Building Automation System (BAS) of the Desigo/APOGEE family for HVAC and building service plants. In this blog, we are publishing the details of a vulnerability that was caused by an improper implementation of the password-based key derivation mechanism for user accounts. It could also have been abused to perform a Denial-of-Service (DoS) attack against the controller.

read more

Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk

Nozomi Networks Labs discovered a vulnerability (tracked under CVE-2022-05-02, ICS-VU-638779, VU#473698) affecting the Domain Name System (DNS) implementation of all versions of uClibc and uClibc-ng, a popular C standard library in IoT products. The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.

read more

Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload

While Industroyer targets multiple IEC protocols, Industroyer2 is a standalone executable which exclusively targets IEC-104. Based on the analysis, it’s likely that the threat actor was in the network days before the attack and had a fairly complete understanding of security measures in the target environment, and that Industroyer2 was designed to be executed in a privileged environment with direct access to the target device.

read more

New BotenaGo Variant Discovered by Nozomi Networks Labs

While the use of open-source programming languages has its benefits, attackers find it equally beneficial and have been utilizing Go to code malicious malware. Our research highlights a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices, which we have named Lillin scanner.

read more

Reverse Engineering Obfuscated Firmware for Vulnerability Analysis

With vendors leveraging increasingly advanced obfuscation and encryption techniques to protect the confidentiality of their code, finding vulnerabilities can be especially challenging. Another difficulty is the firmware itself becoming a challenge to reverse, if it was compiled for an obsolete architecture and commercial disassemblers can’t properly reconstruct it. The firmware in the Schneider Electric APC PDU is an example of such a code; it has been around for years and is compiled for an old and obsolete version of the Intel 80286, which prevents easy reading or inspection.

read more

How to Analyze Malware for Technical Writing

In the ever-changing world of cybersecurity, new threats appear and evolve on a regular basis. To efficiently conduct an analysis and publish new findings on emerging malware, it’s important to be prepared. We share tips on how researchers can conduct the analysis, and a suggested workflow.

read more

Extract Firmware from OT Devices for Vulnerability Research

One of the most challenging tasks for a cybersecurity researcher is getting access to the underlying file system in OT devices to do a full analysis of potential attack vectors. This blog describes techniques for extracting firmware directly from the hardware and reading the flash content, a critical skill in a structured research team.

read more

URGENT/11 – New ICS Threat Signatures by Nozomi Networks Labs

A well-known RTOS (Real-Time Operating System), widely used in industrial sectors, is at risk from a series of 11 vulnerabilities dubbed URGENT/11.

Nozomi Networks Labs conducted research on the vulnerable devices and has released threat signatures for URGENT/11 that identify threats in typical industrial networks without generating high numbers of false positive alerts.

read more

What You Need to Know About LookBack Malware & How to Detect It

On August 1, security researchers at Proofpoint reported the details of spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.

Learn more about LookBack malware and how you can detect it.

read more

Advances in Cyber Security for Electric Utilities: WG15 & Black Hat

As a passionate champion for secure-by-design power grid systems, I’ve been part of WG15, the group defining IEC 62351 standards to enable such systems, for years.

If you’d like to learn about the future of cyber security for electric utilities, I urge you to read this article. It also provides a sneak peek into our related (and groundbreaking!) talk about power system security at Black Hat USA 2019.

read more

Nozomi Networks Labs Enhances Radamsa for Safer ICS Software

Nozomi Networks Labs is committed to conducting cyber security research that makes industrial organizations more secure. Our latest project involves enhancing Radamsa, an open source fuzzing tool for testing software.

Our new code makes it faster and easier to test devices that communicate over industrial networks, such as PLCs and RTUs, for security vulnerabilities.

read more

GreyEnergy Malware Research Paper: Maldoc to Backdoor

When the GreyEnergy Advanced Persistent Threat (APT) was unveiled last year, I decided to put my reverse engineering skills to work and study one of its infection techniques.

Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.

read more

IEC 62351 Standards for Securing Power System Communications

To help counter the growing concern about cyberattacks aiming to disrupt power systems, industrial experts have been working together in WG15. This group, part of IEC, is defining the standards known as IEC 62351, for secure-by-design power grids.

As a member of WG 15 since 2015, I thought it might be helpful to inform you about these standards and provide an update on their status.

read more

Analyzing the GreyEnergy Malware: from Maldoc to Backdoor

GreyEnergy is an Advanced Persistent Threat (APT) which has been targeting industrial networks in Eastern European countries for several years.

As a security analyst, I have studied the malware and provide a detailed description of how it works, from the moment that someone receives a phishing email, until the malware is installed in a PC. We also provide the GreyEnergy Unpacker, a free tool for other analysts to use for further analysis of this advanced persistent threat.

read more

GreyEnergy Malware Targets Industrial Critical Infrastructure

Recently a new advanced threat targeting the energy sector was disclosed. Called GreyEnergy, this malware is the successor to BlackEnergy, which brought down part of the Ukraine power grid in 2015.
Because of the significance of the malware, our Nozomi Networks Security Research team is evaluating it. Find out what is known about the malware to date.

read more

Open Source Software Exposes ICS Device Vulnerabilities to Hackers

It’s disturbing to think that disruption and damage to our critical infrastructure can happen by simply combining the use of OSS tools with malicious intent. Fortunately, those same tools are being used by ICS security researchers around the world to increase industrial control systems cyber security.

Read on to learn why transportation, communications, energy and emergency services are so exposed, and what’s being done to close the ICS cyber security gap.

read more

Black Hat: Understanding TRITON, The First SIS Cyber Attack

Today at Black Hat USA I am part of a team speaking about the landmark TRITON malware attack. We are presenting new research on TRITON, releasing two tools to help defend against it and publishing a white paper summarizing our findings.

The TRITON malware attack went beyond other industrial cyber attacks by directly interacting with a Safety Instrumented System (SIS). Asset owners should act immediately to secure their SIS — and the information in our white paper will help.

read more

New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol

In 2017, TRITON malware was used to attack a gas facility, directly interacting with its Safety Instrumented System (SIS). Given the significance of this attack, Nozomi Networks conducted research to better understand how TRITON works.

Today we released a Wireshark dissector for the TriStation protocol on GitHub to help the ICS community understand SIS communications. Our complete TRITON analysis will be presented at Black Hat USA 2018.

read more

New TRITON ICS Malware is Bold and Important

FireEye has reported that it has recently worked with an industrial operator whose facility was attacked by a new type of ICS malware, which they are calling TRITON. The attack reprogrammed a facility’s Safety Instrumented System (SIS) controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process.

The TRITON attack is bold and notable because it is the first known industrial control system (ICS) attack that has targeted and impacted not just an ICS, but SIS equipment. Fortunately, because of the unique nature of how each plant implements its SIS and overall safety measures, the malware is not readily scalable.

read more

Bad Rabbit Highlights Employees’ Role in Cyber Security Attacks

Recently reports of a new ransomware malware known as Bad Rabbit was making headlines in the press. A suspected variant of NotPetya, Bad Rabbit spread quickly through IT networks in Europe and elsewhere.
Our research indicates that while Bad Rabbit infections started to be reported in late October, the group behind the attacks started creating an “infection-network” in July. While not reported as impacting industrial systems, industrial operators should take note of this attack and what it means for their cyber resiliency programs.

read more

Advancing IEC Standards for Power Grid Cyber Security

Last week Nozomi Networks had the privilege of hosting the first WG15 meeting of 2017. This group is responsible for establishing end-to-end cyber security standards for the world’s power system communication protocols. Read on to learn more about WG15 and how we advanced standards for encrypted communications for the power grids of the future.

read more

Threat Intelligence

Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.

“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”


Co-founders, Nozomi Networks

COVID-19 Cybersecurity

© 2022 Nozomi Networks, Inc.
All Rights Reserved.