Hunting the Mongoose: Discovering 10 Vulnerabilities in the Mongoose Web Server Library
Continue Reading
Our Nozomi Networks Labs team is made up of highly respected threat hunters and security analysts who are dedicated to reducing cyber risk for industrial and critical infrastructure organizations. They responsibly disclose vulnerabilities and freely share their research findings and security tools with the global OT security community.
Read the latest blog content from our security research team.
Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.
View Product Page
“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”
TRITON is the first known cyberattack that directly interacted with a Safety Instrumented System (SIS). Labs reverse engineered the TriStation suite of software and delivered a report and two free tools for security researchers. This research was presented at Black Hat USA 2018.
View ProjectThe Labs team reverse engineered the GreyEnergy malicious document (maldoc) that leads to the installation of the malware (backdoor) on a victim’s network. Project outcomes include a report, multiple blogs and two free tools for security researchers.
View ProjectIEC Working Group 15 (WG15) is developing technology standards for secure-by-design power systems. Labs contributes to the standards and has demonstrated how they can be used to identify hard-to-detect cyberattacks. Research from this effort was presented at Black Hat USA 2019.
View ProjectNew assertions (queries) have been added to Guardian Community Edition to help with COVID-19-related cybersecurity challenges.
Queries that check for communications with malicious IP addresses and URLs
Assertions for COVID-19 Network IndicatorsQueries that check the number of simultaneous remote connections and generate alerts if the number surpasses a threshold.
Assertions for Remote Access MonitoringTo help your organization proactively detect and prevent COVID-19 themed cyberattacks, download our network indicators, ransomware and malware threat intelligence.
Network IOCs (Indicators of Compromise)
COVID-19 themed Network IndicatorsYara rules for detecting coronavirus ransomware
COVID-19-Themed Ransomware RulesYara rules for detecting COVID-19 Informer malware
COVID-19 Informer Malware RulesList of hashes that detect malicious files
COVID-19-Themed HashSNORT rule for detecting network infection
COVID-19 Chinoxy Backdoor MalwareOur Nmap NSE script for detecting URGENT/11 vulnerabilities is a research tool for quickly checking industrial systems for vulnerable assets based on the version of VxWorks exposed within the FTP service.
Due the fact that is not always possible to detect the running version, we recommend that industrial operators use full featured security products for effective vulnerability assessment.
Our contribution allows Radamsa to mutate PCAPNG files focusing only on the packets themselves, eliminating the bytes and data structures used by the PCAPNG format itself. It is useful for testing the robustness of protocol stacks, helping to improve the quality of OT-device software.
Automatically unpacks both the dropper and the backdoor and extracts them onto a disk
GreyEnergy UnpackerDetermines whether a file processed by Yara is the GreyEnergy packer or not
GreyEnergy Yara ModuleFacilitates seeing and comprehending TriStation communications and identifies hardware connected to the safety controller
TriStation Protocol Plug-in for WiresharkSimulates SIS controllers on the network, useful for detecting reconnaissance scans and capture malicious payloads
Triconex Honeypot Tool
