Nozomi Networks Labs

Our Nozomi Networks Labs team is made up of highly respected threat hunters and security analysts who are dedicated to reducing cyber risk for industrial and critical infrastructure organizations. They responsibly disclose vulnerabilities and freely share their research findings and security tools with the global OT security community.

Labs Blogs

Read the latest blog content from our security research team.

View all Labs blogs

Flaws in Phoenix Contact mGuard Industrial Router Allow up to Root RCE

Read

Vulnerabilities in Wago PLCs: Understanding the Risks for Industrial Facilities

Read

Over-the-Air Vulnerabilities Discovered in Advantech EKI Access Points

Read

Hunting the Mongoose: Discovering 10 Vulnerabilities in the Mongoose Web Server Library

Read

Threat Intelligence

Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.

View Product Page
Threat Intel screenshot
Nozomi Logo circle

“Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.”

Research Projects

TRITON

TRITON is the first known cyberattack that directly interacted with a Safety Instrumented System (SIS). Labs reverse engineered the TriStation suite of software and delivered a report and two free tools for security researchers. This research was presented at Black Hat USA 2018.

View Project

GreyEnergy

The Labs team reverse engineered the GreyEnergy malicious document (maldoc) that leads to the installation of the malware (backdoor) on a victim’s network. Project outcomes include a report, multiple blogs and two free tools for security researchers.

View Project

IEC 62351

IEC Working Group 15 (WG15) is developing technology standards for secure-by-design power systems. Labs contributes to the standards and has demonstrated how they can be used to identify hard-to-detect cyberattacks. Research from this effort was presented at Black Hat USA 2019.

View Project
See all

Tools

Guardian Community Edition Assertions (Queries) for COVID-19 Cybersecurity

New assertions (queries) have been added to Guardian Community Edition to help with COVID-19-related cybersecurity challenges.

Assertions for COVID-19 Network IndicatorsAssertions for Remote Access Monitoring

COVID-19 Malware: OT and IoT Threat Intelligence

To help your organization proactively detect and prevent COVID-19 themed cyberattacks, download our network indicators, ransomware and malware threat intelligence.

COVID-19 themed Network IndicatorsCOVID-19-Themed Ransomware RulesCOVID-19 Informer Malware RulesCOVID-19-Themed HashCOVID-19 Chinoxy Backdoor Malware

URGENT/11 Nmap NSE Script for Detecting Vulnerabilities

Our Nmap NSE script for detecting URGENT/11 vulnerabilities is a research tool for quickly checking industrial systems for vulnerable assets based on the version of VxWorks exposed within the FTP service.

Due the fact that is not always possible to detect the running version, we recommend that industrial operators use full featured security products for effective vulnerability assessment.

Radamsa Enhancement, Introducing PCAPNG Awareness

Our contribution allows Radamsa to mutate PCAPNG files focusing only on the packets themselves, eliminating the bytes and data structures used by the PCAPNG format itself. It is useful for testing the robustness of protocol stacks, helping to improve the quality of OT-device software.

GreyEnergy Unpacker + Yara Module

GreyEnergy UnpackerGreyEnergy Yara Module

Tricotools

TriStation Protocol Plug-in for WiresharkTriconex Honeypot Tool

Take the next step.

Discover how easy it is to identify and respond to cyber threats by automating your IoT and OT asset discovery, inventory, and management.