Nozomi Networks Labs
Labs Blogs
Labs Blogs
Automatic Restoration of Corrupted UPX-packed Samples
In this blog, we share a tool (available on Git Hub) that can automatically fix various types of tampered UPX-packed files so that they become easily unpackable using standard UPX functionality. This first version of the tool focuses on handling Executable and Linkable Format (ELF) files compiled for various popular Reduced Instruction Set Computer (RISC) architectures commonly used by IoT devices, namely x86, x86-64, PowerPC, ARM, and MIPS. We will then evaluate its efficacy by using a set of samples collected using our global chain of IoT honeypots.
Hardware Supply Chain Compromise in Human Interface Devices: Nozomi Networks + Hydro Québec Joint Research
Compromised Human Interface Devices (HID) such as a mouse, keyboard, or other USBs, which can be found in offices or industrial environments, can be adapted to perform physical attacks. Imagine the cyber-physical effect of an insider plugging a compromised keyboard/mouse into a workstation or Human Machine Interface (HMI). With the aim of setting up a proof of concept, Nozomi Networks and the Hydro-Québec Research Institute (IREQ) will explain how to detect, notify, and recommend proper countermeasures around compromised hardware devices.
Nozomi Networks Researchers Reveal Zero-Day RTLS Vulnerabilities at Black Hat 22
Last week Nozomi Networks Labs attended Black Hat 22 in Las Vegas to present zero-day vulnerabilities found in Ultra-wideband (UWB) Real-time Locating Systems (RTLS). Security Researchers Andrea Palanca and Luca Cremona, along with Security Research Evangelist Roya Gordon, presented the findings discovered by Palanca and Cremona, on Wednesday August 10th at 4:20 pm PST. This was the first time these vulnerabilities were revealed to an audience.
Vulnerability in Dahua’s ONVIF Implementation Threatens IP Camera Security
We’re publishing the details of a new vulnerability (tracked under CVE-2022-30563) affecting the implementation of the Open Network Video Interface Forum (ONVIF) WS-UsernameToken authentication mechanism in some IP cameras developed by Dahua, a very popular manufacturer of IP-based surveillance solutions. This vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.
Nozomi Networks Discovers Vulnerability in Siemens Building Automation Software
Recently, we had the opportunity to do a security analysis of the Siemens PXC4.E16, a Building Automation System (BAS) of the Desigo/APOGEE family for HVAC and building service plants. In this blog, we are publishing the details of a vulnerability that was caused by an improper implementation of the password-based key derivation mechanism for user accounts. It could also have been abused to perform a Denial-of-Service (DoS) attack against the controller.
Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk
Nozomi Networks Labs discovered a vulnerability (tracked under CVE-2022-05-02, ICS-VU-638779, VU#473698) affecting the Domain Name System (DNS) implementation of all versions of uClibc and uClibc-ng, a popular C standard library in IoT products. The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device.
Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
While Industroyer targets multiple IEC protocols, Industroyer2 is a standalone executable which exclusively targets IEC-104. Based on the analysis, it’s likely that the threat actor was in the network days before the attack and had a fairly complete understanding of security measures in the target environment, and that Industroyer2 was designed to be executed in a privileged environment with direct access to the target device.
New BotenaGo Variant Discovered by Nozomi Networks Labs
While the use of open-source programming languages has its benefits, attackers find it equally beneficial and have been utilizing Go to code malicious malware. Our research highlights a new variant of the BotenaGo malware that specifically targets Lilin security camera DVR devices, which we have named Lillin scanner.
INCONTROLLER: Acting to Protect Customers from Unknown Threats
INCONTROLLER is believed to have been developed by a sophisticated nation state threat actor to maliciously manipulate ICS environments. The latest Nozomi Networks Threat Intelligence package includes YARA rules to detect the two supporting Windows-based INCONTROLLER tools.
Industroyer2 Targets Ukraine’s Electric Grid: How Companies Can Stay Protected and Resilient
In light of the attempted attack on Ukraine’s power grid with Industroyer2 malware, the safety and security of Nozomi Networks customers is our top priority. Our latest Threat Intelligence package provides Industroyer2 Indicators of Compromise (IoCs) that will detect and alert customers of any known activity linked to the malware.
Reverse Engineering Obfuscated Firmware for Vulnerability Analysis
With vendors leveraging increasingly advanced obfuscation and encryption techniques to protect the confidentiality of their code, finding vulnerabilities can be especially challenging. Another difficulty is the firmware itself becoming a challenge to reverse, if it was compiled for an obsolete architecture and commercial disassemblers can’t properly reconstruct it. The firmware in the Schneider Electric APC PDU is an example of such a code; it has been around for years and is compiled for an old and obsolete version of the Intel 80286, which prevents easy reading or inspection.
How IoT Botnets Evade Detection and Analysis
One key technique to stymie reverse engineering botnet code is to obfuscate the code by compressing or encrypting the executable, called packing. This blog explores the current packers used by IoT malware, using data collected by Nozomi Networks honeypots.
New OT/IoT Security Report: Trends and Countermeasures for Critical Infrastructure Attacks
Nozomi Networks Labs’ latest OT/IoT Security Report Delves Into Cyber Attack Trends, Vulnerabilities and Attack Countermeasures In our latest OT/IoT Security Report, Nozomi Networks Labs brings together an in-depth analysis of industry trends and our own security...
How to Analyze Malware for Technical Writing
In the ever-changing world of cybersecurity, new threats appear and evolve on a regular basis. To efficiently conduct an analysis and publish new findings on emerging malware, it’s important to be prepared. We share tips on how researchers can conduct the analysis, and a suggested workflow.
Methods for Extracting Firmware from OT Devices for Vulnerability Research
This second part of our hardware hacking series focuses on how to dump the memory contents for two different kinds of memory packages, WSON and SOP/SOIC.
Web Interface Flaw Threatens Reliability of Cyber-Physical Systems
Today Nozomi Networks Labs announced the discovery & disclosure of a vulnerability in the web interface of the Schneider Electric Power Distribution Unit (PDU)-the APC AP7920B. Based on the flaw, about 10% of all desktop browsers worldwide could have been successfully leveraged to execute an attack.
Critical Log4Shell (Apache Log4j) Zero-Day Attack Analysis
An analysis of the Apache Log4j vulnerability and the architecture of zero-day exploits (CVE-2021-44228) from Nozomi Networks Labs.
Five New Vulnerabilities Disclosed in Patient Monitoring Systems
Nozomi Networks Labs discloses five vulnerabilities affecting attack surfaces on a Philips patient monitoring solution. Solutions from other vendors may have similar vulnerabilities.
The Long-range Disruption of Industrial IoT LoRaWAN Networks
The Nozomi Networks Labs team used drones to investigate attacks against a low-power radio frequency WAN technology widely used in industrial IoT networks.
Enhancing Threat Intelligence with the MITRE ATT&CK Framework
Billions of IoT devices are used in the industrial sector and threat actors are quickly evolving new malware focused on them. Don’t miss this analysis of the SBIDIOT IoT malware to learn how it communicates with targets and what types of commands it supports. Includes IOCs.
Firmware Security Research: Dahua Facial Recognition Station
To illustrate how we tackle the issue of firmware inspection, Nozomi Networks Labs selected a popular facial/thermal recognition camera and describes how to analyze the firmware in detail.
New Axis OS Security Research Aided by Transparent Design
Nozomi Networks Labs published three new vulnerabilities (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988) affecting multiple Axis devices. The transparent approach applied by Axis into security review allowed Labs to perform an immediate static analysis and verification of the vulnerabilities.
Extract Firmware from OT Devices for Vulnerability Research
One of the most challenging tasks for a cybersecurity researcher is getting access to the underlying file system in OT devices to do a full analysis of potential attack vectors. This blog describes techniques for extracting firmware directly from the hardware and reading the flash content, a critical skill in a structured research team.
BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs
Billions of IoT devices are used in the industrial sector and threat actors are quickly evolving new malware focused on them. Don’t miss this analysis of the SBIDIOT IoT malware to learn how it communicates with targets and what types of commands it supports. Includes IOCs.
New Annke Vulnerability Shows Risks of IoT Security Camera Systems
Nozomi Networks Labs has discovered a remote code execution vulnerability in the Annke N48PBB network video recorder. We urge network defenders to check their systems for the device, and apply the available patch immediately.
The Clever Use of Postdissectors to Analyze Layer 2 Protocols
Nozomi Networks Labs analyzes the Layer 2 protocol used by the RUGGEDCOM devices, focusing on how to instruct Wireshark to properly detect it and begin the dissection process.
New Research Uncovers 5 Vulnerabilities in Mitsubishi Safety PLCs
Vulnerabilities in Mitsubishi Safety PLCs were discovered by Nozomi Networks Labs. As no patches are available, we outline general mitigations that can be used to protect operational environments. The Nozomi Networks Threat Intelligence service also includes detection logic for these vulnerabilities.
PrintNightmare: How To Check If Your Systems Are Still Vulnerable
PrintNightmare: Cybersecurity researchers continue to uncover new, related vulnerabilities that can be exploited. Learn how to determine whether your systems remain vulnerable to known popular exploit PoCs (Proof of Concepts).
New Report: Ransomware, Vulnerabilities and IoT Security Threats
Nozomi Networks Labs has produced a new OT/IoT security report. Don’t miss this summary of vulnerability trends as well as important information about ransomware and IoT security camera threats.
PrintNightmare: Remote Code Execution in Windows Spooler Service
Several vulnerabilities affecting the Windows Print Service spooler require urgent attention by security teams across all industries. These risks are particularly concerning because the vulnerable service is enabled by default for Windows Domain Servers, the most sought-after target for attackers.
How to Dissect Unusual Protocols for Troubleshooting OT Security
To analyze the OT security risks of undocumented protocols, we need to understand how devices work, and how they communicate. Nozomi Networks Labs demonstrates how to use Lua APIs to instruct Wireshark to properly dissect an undocumented protocol.
New IoT Security Risk: ThroughTek P2P Supply Chain Vulnerability
Nozomi Networks Labs announces the discovery and disclosure of a new security camera vulnerability. It affects an embedded P2P software component from ThroughTek. This component is part of the supply chain for many original equipment manufacturers (OEMs) of consumer-grade security cameras and IoT devices.
Demonstrating the Link Between Functional Safety and ICS Security
In industrial control systems (ICS) with no protection measures, it can be easy for a threat actor to disrupt the system, threatening safety and production. Watch a simulated DoS attack to see how an attacker could exploit bad practices, and review what should be done to prevent such an attack.
Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works
The Colonial Pipeline ransomware attack is one of the most notable critical infrastructure breaches of recent years. Learn the encryption, anti-detection and other techniques used by DarkSide’s main executable so you can evaluate your own defenses. Includes IoCs and a decryption script for detection.
Threat Intelligence: Analysis of the SBIDIOT IoT Malware
Billions of IoT devices are used in the industrial sector and threat actors are quickly evolving new malware focused on them. Don’t miss this analysis of the SBIDIOT IoT malware to learn how it communicates with targets and what types of commands it supports. Includes IOCs.
Defending Against IoT Security Camera Hacks Like Verkada
Verkada was the target of a successful cyberattack that allowed the perpetrators unfettered access to the live video feeds of 150,000 surveillance cameras. Network monitoring technology could have alerted them to the attack – and helped them contain and mitigate its impact.
New Report: Top OT/IoT Security Threats and Vulnerabilities
Nozomi Networks Labs has produced a new OT/IoT security report. This blog summarizes the most significant threats and vulnerability trends, as well as recommendations for improving your security posture. Read the blog and get the report to speed up your understanding of the current threat landscape.
New Reolink P2P Vulnerabilities Show IoT Security Camera Risks
Nozomi Networks Labs has discovered vulnerabilities in the Peer-to-Peer (P2P) feature of a commonly used line of security cameras – Reolink. P2P is used by several vendors and, if your CCTV camera has this feature, it’s important to understand the potential security risks.
New Threat Intelligence Reveals Misuse of DNS Protocol
Nozomi Networks Labs has uncovered new misuse of the DNS protocol that opens the door to significant threats in the future. We urge security teams to familiarize themselves with this new threat intelligence and centrally monitor their systems for problematic network traffic.
Overcoming the Challenges of Detecting P2P Botnets on Your Network
It can be challenging to disrupt the malicious activities of peer-to-peer (P2P) botnets. Find out how to protect your OT/IoT networks against them.
CISA-Sponsored CVE Program Grants Nozomi Networks CNA Status
Nozomi Networks is a CVE Numbering Authority (CNA). The CVE Program is the international standard for identifying and naming cybersecurity vulnerabilities.
Your Guide to the MITRE ATT&CK Framework for ICS
Learn how security teams can use details about adversary behavior and actions contained in the MITRE ATT&CK Framework for ICS to enhance their security strategies.
What IT Needs to Know about OT/IoT Security Threats in 2020
Find out what IT needs to know about OT/IoT security in 2020, including the most active threats, their techniques and recommendations for mitigations.
Enhanced Product Security Incident Response Reduces Customer Risk
Our Product Security Incident Response Team (PSIRT) contacts and security bulletins are now public, as part of our commitment to customer security.
Ripple20 – New Zero-Day Vulnerabilities Send Shockwaves Across IoT
Two things make Ripple20 IT/OT/IoT vulnerabilities especially concerning: the potential impact that can be achieved by their exploitation, and the difficulty of finding and tracking all instances of the vulnerable library.
IEC 61850 Meets IEC 62351: Securing GOOSE Power Grid Weaknesses
Nozomi Networks CTO Moreno Carullo explains how IEC 62351-6 can be used to secure IEC 61850 GOOSE protocol defects & increase ICS security for substations.
Dark Nexus IoT Botnet: Analyzing and Detecting its Network Activity
Dark Nexus is an IoT botnet that uses DDoS attacks for financial gain. Nozomi Networks security researchers have analyzed its network behavior.
COVID-19 Chinoxy Backdoor: A Network Perspective
A prolific threat actor, active in Asia, sends documents to people in Kyrgyzstan about how the United Nations is helping to fight COVID-19.
Nozomi Networks Labs examines how network traffic analysis can detect this specific threat.
OT/IoT Security Superheroes: Tackling the Remote Employee Challenge
While the world is grappling with the COVID-19 pandemic, nation-state and other threat actors are capitalizing on the climate of fear, uncertainty and doubt to find OT and IoT security gaps and orchestrate new cyberattacks.
COVID-19 (coronavirus) Malware: New OT and IoT Security Tools
While the world is grappling with the COVID-19 pandemic, nation-state and other threat actors are capitalizing on the climate of fear, uncertainty and doubt to find OT and IoT security gaps and orchestrate new cyberattacks.
Act Now on Critical Microsoft SMB Vulnerability (CVE-2020-0796)
On March 10th, Microsoft published a security advisory of critical severity for CVE-2020-0796, which is a remote code execution vulnerability affecting the Microsoft Server Message Block 3.1.1 (SMBv3).
Recent Ransomware Threatens OT Security, Reputation and GDPR Fines
Last week we reported that a new wave of ransomware is threatening OT security. The Snake file encrypting ransomware, for example, includes code that has the explicit goal of causing process disruption.
New Wave of Ransomware Threatens OT Security and Reliability
A new development in malware threats is ransomware that threatens OT security and aims to disrupt OT systems. For example, recently we wrote about the Snake file encrypting ransomware, which was similar to the preceding Megacortex malware. Both threats include code...
Snake Ransomware is Raising Concerns for Industrial Controls Systems
A recently discovered file-encrypting ransomware is raising concerns for industrial control system (ICS) operators.
Read on to learn what we now know about the Snake ransomware, and our recommendations for protecting your ICS systems.
URGENT/11 – New ICS Threat Signatures by Nozomi Networks Labs
A well-known RTOS (Real-Time Operating System), widely used in industrial sectors, is at risk from a series of 11 vulnerabilities dubbed URGENT/11.
Nozomi Networks Labs conducted research on the vulnerable devices and has released threat signatures for URGENT/11 that identify threats in typical industrial networks without generating high numbers of false positive alerts.
New Switch Vulnerability Discovered by Nozomi Networks Labs
On August 13, 2019, the Siemens CERT Team issued an advisory (SSA-100232) concerning Siemens SCALANCE switch devices. This vulnerability was responsibly disclosed to Siemens CERT Team and CISA by Nozomi Networks Labs.
Learn more about our findings and gain a better understanding of the cyber risks of legacy devices.
Black Hat: The Future of Securing Power Grid Intelligent Devices
Today at Black Hat USA we’re presenting an innovative power grid cyber security solution that greatly improves monitoring of intelligent electronic devices (IEDs).
Using the IEC 62351 standard for monitoring industrial networks, we demonstrate how four types of hard-to-detect attacks are readily identified.
What You Need to Know About LookBack Malware & How to Detect It
On August 1, security researchers at Proofpoint reported the details of spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.
Learn more about LookBack malware and how you can detect it.
Advances in Cyber Security for Electric Utilities: WG15 & Black Hat
As a passionate champion for secure-by-design power grid systems, I’ve been part of WG15, the group defining IEC 62351 standards to enable such systems, for years.
If you’d like to learn about the future of cyber security for electric utilities, I urge you to read this article. It also provides a sneak peek into our related (and groundbreaking!) talk about power system security at Black Hat USA 2019.
Nozomi Networks Labs Finds New Rockwell PLC Vulnerability
Today, the U.S. Department of Homeland Security issued ICS CERT Advisory (ICSA-19-120-01) concerning Rockwell Automation CompactLogix controllers.
Nozomi Networks responsibly disclosed the vulnerability to CISA and Rockwell Automation.
Read on to learn about our findings and gain a better understanding of the cyber risks of legacy devices.
Breaking Research: LockerGoga Ransomware Impacts Norsk Hydro
It was reported today that Norsk Hydro has temporarily stopped aluminum production at several plants following an attack by the ransomware known as LockerGoga.
Nozomi Networks Labs has conducted a preliminary evaluation of LockerGoga. Read on to learn about this ransomware and our research team’s assessment of it.
Nozomi Networks Labs Enhances Radamsa for Safer ICS Software
Nozomi Networks Labs is committed to conducting cyber security research that makes industrial organizations more secure. Our latest project involves enhancing Radamsa, an open source fuzzing tool for testing software.
Our new code makes it faster and easier to test devices that communicate over industrial networks, such as PLCs and RTUs, for security vulnerabilities.
Nozomi Networks Labs: Sharing Valuable ICS Cybersecurity Research
Over the past few years our company has been focused on product development and building our team, but we also began to contribute research to the ICS security community.
Today we’re formally introducing Nozomi Networks Labs, whose goal is to help defend the industrial systems that support everyday life.
GreyEnergy Malware Research Paper: Maldoc to Backdoor
When the GreyEnergy Advanced Persistent Threat (APT) was unveiled last year, I decided to put my reverse engineering skills to work and study one of its infection techniques.
Find out about the methods the malware’s packer stage used to conceal its true functionality, plus get access to my full Research Paper, in today’s article.
IEC 62351 Standards for Securing Power System Communications
To help counter the growing concern about cyberattacks aiming to disrupt power systems, industrial experts have been working together in WG15. This group, part of IEC, is defining the standards known as IEC 62351, for secure-by-design power grids.
As a member of WG 15 since 2015, I thought it might be helpful to inform you about these standards and provide an update on their status.
Analyzing the GreyEnergy Malware: from Maldoc to Backdoor
GreyEnergy is an Advanced Persistent Threat (APT) which has been targeting industrial networks in Eastern European countries for several years.
As a security analyst, I have studied the malware and provide a detailed description of how it works, from the moment that someone receives a phishing email, until the malware is installed in a PC. We also provide the GreyEnergy Unpacker, a free tool for other analysts to use for further analysis of this advanced persistent threat.
GreyEnergy Malware Targets Industrial Critical Infrastructure
Recently a new advanced threat targeting the energy sector was disclosed. Called GreyEnergy, this malware is the successor to BlackEnergy, which brought down part of the Ukraine power grid in 2015.
Because of the significance of the malware, our Nozomi Networks Security Research team is evaluating it. Find out what is known about the malware to date.
Open Source Software Exposes ICS Device Vulnerabilities to Hackers
It’s disturbing to think that disruption and damage to our critical infrastructure can happen by simply combining the use of OSS tools with malicious intent. Fortunately, those same tools are being used by ICS security researchers around the world to increase industrial control systems cyber security.
Read on to learn why transportation, communications, energy and emergency services are so exposed, and what’s being done to close the ICS cyber security gap.
Black Hat: Understanding TRITON, The First SIS Cyber Attack
Today at Black Hat USA I am part of a team speaking about the landmark TRITON malware attack. We are presenting new research on TRITON, releasing two tools to help defend against it and publishing a white paper summarizing our findings.
The TRITON malware attack went beyond other industrial cyber attacks by directly interacting with a Safety Instrumented System (SIS). Asset owners should act immediately to secure their SIS — and the information in our white paper will help.
New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol
In 2017, TRITON malware was used to attack a gas facility, directly interacting with its Safety Instrumented System (SIS). Given the significance of this attack, Nozomi Networks conducted research to better understand how TRITON works.
Today we released a Wireshark dissector for the TriStation protocol on GitHub to help the ICS community understand SIS communications. Our complete TRITON analysis will be presented at Black Hat USA 2018.
New TRITON ICS Malware is Bold and Important
FireEye has reported that it has recently worked with an industrial operator whose facility was attacked by a new type of ICS malware, which they are calling TRITON. The attack reprogrammed a facility’s Safety Instrumented System (SIS) controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process.
The TRITON attack is bold and notable because it is the first known industrial control system (ICS) attack that has targeted and impacted not just an ICS, but SIS equipment. Fortunately, because of the unique nature of how each plant implements its SIS and overall safety measures, the malware is not readily scalable.
Bad Rabbit Highlights Employees’ Role in Cyber Security Attacks
Recently reports of a new ransomware malware known as Bad Rabbit was making headlines in the press. A suspected variant of NotPetya, Bad Rabbit spread quickly through IT networks in Europe and elsewhere.
Our research indicates that while Bad Rabbit infections started to be reported in late October, the group behind the attacks started creating an “infection-network” in July. While not reported as impacting industrial systems, industrial operators should take note of this attack and what it means for their cyber resiliency programs.
Advancing IEC Standards for Power Grid Cyber Security
Last week Nozomi Networks had the privilege of hosting the first WG15 meeting of 2017. This group is responsible for establishing end-to-end cyber security standards for the world’s power system communication protocols. Read on to learn more about WG15 and how we advanced standards for encrypted communications for the power grids of the future.
Threat Intelligence
Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
© 2022 Nozomi Networks, Inc.
All Rights Reserved.