13 min read
Maritime Cyber Security & Threats Sep 2020 Week One
By: Dryad Global on September 8, 2020 at 2:20 PM
Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted attacks within the maritime sector.
"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Malicious Email collection 29 Aug-5 Sep 2020
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
Aug 29, 2020 |
RE: Request flight booking for MV. SEA FUTURE off signers at INCHEON, KOREA |
TrojanDownloader:O97M/Emotet!rfn |
"Ms. San San" <accounts2@princehr.com> |
withuskor.com |
Aug 29, 2020 |
Mix container 2 purchase orders |
Exploit:O97M/CVE-2017-11882.YR!MTB |
kelly.mfc.china@mikado-foods.de |
argomarine.co.kr |
Sep 01, 2020 |
Undeliverable: RE: Arrival Notice For BL - 120910126192 / Vessel - MV\r\n Crystal BAY / Voyage - 19014S |
Trojan:Win32/Wacatac.C!ml |
<postmaster@vs-i.com> |
skshipping.com |
Sep 01, 2020 |
Re: MV YAN DUN JIAO 1 (V.1904) |
Trojan:Win32/Ymacco.AAB6 |
"PHILHUA SHIPPING AGENCY (RIZHAO)" <rizhao@philhua.com> |
philhua.com |
Sep 01, 2020 |
P19009 - KARACHAGANAK PETROLEUM OPERATING - EPC FOR KARACHAGANAK EXPANSION PROJECT KEP1 - RFQ-00-1 Offshore Drilling Equipment\'s,Refineries & petrochemical plants,AHU,FCU, Pipe, Valve, Pump, Fittings and Heat Recovery Unit4 |
Trojan:Win32/Wacatac.C!ml |
Ahmad Al Fahoum (CCEL) <afahom@ccel.ae> |
kangrim.com |
Sep 01, 2020 |
Re: Port Inquiry for discharge 30000mt |
Trojan:Win32/Wacatac.C!ml |
"Yuswan-OPS TEAM" <yuswanl@pertamajaya.com> |
pertamajaya.com |
Sep 01, 2020 |
RE: Fw: Pulp basah dan kotor di MV Intan Daya |
Trojan-Downloader.VBA.Emotet |
"Jasmadi Jasmadi" <7348cba539@37b925b96.br> |
b4bd8b7c1f5a.com |
Sep 02, 2020 |
Fwd: Documents for the first container |
Trojan:Win32/Wacatac.C!ml |
Cargo <pauld@imss.co.za> |
naver.com |
Sep 02, 2020 |
RE: Preliminary Survey Report Cargo Condition discharge Wire Rod and Steel Bar MV. MIIKE. V.084 at Jakarta. |
TrojanDownloader:O97M/Emotet.RKC!MTB |
"Sugiyanto Tomo" <232e342da3cce04@093ddefc9c4.gt> |
b4bd8b7c1f5a.com |
Sep 03, 2020 |
RE: TANGLIN AGENCY - PO P522207 OCEAN FRONT |
VBA/Agent.AUZ!tr.dldr |
"Cheryl" <1ac45@f82ab8686.com> |
b4e8f423.com |
Sep 03, 2020 |
SPAM: Re: Cargo Arrival Notice - Job No: LI-200315060007-8 / HBL:\r\n 320610003918 |
Trojan:MSIL/AgentTesla.AX!MTB |
ADNAN AKHTAR <9aa8c9aa3@b9d47afc168.com> |
a0a1ee03.com |
Sep 03, 2020 |
RE: (352293) CMB CHIKAKO / PORT-IT ANTIVIRUS ONBOARD OUT OF DATE #2 |
TROJ_GEN.F0D1C00BG20 |
Port-IT Support Desk <strio@port-it.nl> |
imecs.co.jp |
Sep 03, 2020 |
=?utf-8?Q?RE:_ADV_Mustervorlage_f=C3=BCr_IT_Sup?=\n =?utf-8?Q?port?= |
HEUR:Trojan.MSOffice.SAgent.gen |
"'Thomas Cierzniak \(thomas.cierzniak@als-fra.de\)'" <lanh.pham@vascorp.com.vn> |
buscon.de |
Sep 04, 2020 |
RE: Re: MV. OCEAN LEADER - REQEUST SUPPLY AT BINTULU |
TrojanDownloader:O97M/Emotet.RKC!MTB |
"oceanleader@sea-one.com" <trafico.logistics@emqro.com.mx> |
kwship.com |
Sep 05, 2020 |
Re: Scan Report MV. Federal Bristol Disch SMOP at. Padang, Indonesia |
TrojanDownloader:O97M/Emotet.RKC!MTB |
"Rizal Afrianto" <c7ce14@04acff12871882f7.jp> |
b4bd8b7c1f5a.com |
Sep 05, 2020 |
MV OCEAN LEADER / DEPARTURE REPORT AT BINTULU PORT |
TrojanDownloader:O97M/Emotet.RKC!MTB |
"oceanleader@sea-one.com" <asad.khan@a-plus.tv> |
kwship.com |
Top 5 Malicious Senders
Sender |
Malware Sent |
trafico.logistics@emqro.com.mx |
TrojanDownloader:O97M/Emotet.RKC!MTB |
leong.kuan.sang@harbour.com.my |
TrojanDownloader:O97M/Emotet.RKC!MTB |
asad.khan@a-plus.tv |
TrojanDownloader:O97M/Emotet.RKC!MTB |
oceanleader@sea-one.com |
TrojanDownloader:O97M/Emotet.RKC!MTB |
claudiaalick@schutztomail.com |
Trojan:Script/Wacatac.C!ml |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MT Intan Daya” and the “MV Glory Forwarder” among others.
Analysts observed a possible supply chain attack using the malicious subject line “Fwd: Documents for the first container” being used this week. The email appears to reference a shipment that the recipient should already be expecting. This is a common tactic used by bad actors.
The message body is noticeably short and even includes an icon indicating that the email was identified as “Virus-free” by Avast. It is possible that Avast identified the file as safe. Avast AV engine does not detect the email or attachment as malicious. However, attackers may have implanted this into the email to provide a false sense of security for the target.
The email is sent from an email address belonging to Dromex. Dromex is South Africa’s leading PPE wholesaler, so an email regarding a container shipment of PPE would further entice a target to open the malicious attachment. The sender email “pauld@imss.co.za” does not show up in open source, however the Chief Financial Officer’s name is Paul D, so it is more likely the attackers are impersonating this employee.
There is no real signature listed in the email, however, the attackers use “regards” and “cu stima” (Romanian for “Yours truly”) indicating they may be Romanian speakers. Sometimes attackers use the native language of the target, but the target in this case is Korean, so there is no clear reason as to why they are using a Romanian valediction, unless this email is being used as a spam template to target other Romanian recipients.
Although the greeting addresses “All,” the email was sent to a single individual whose email address is listed publicly in open source. The target is a manager working at a Korean auto parts company. The company is one of the leading wholesale dealers of spare auto parts for Korean vehicle manufacturers such as Kia, Hyundai, and Daewoo.
The malicious email attachment uses the file name-
“FisrtContainder_documents+certificates+export+AYHTKO00900XXCVBNN.xxe.” The filename further indicates the attackers do not use English as a native language. McAfee AV engine detects the attached file as Fareit-FZB!2CE3FDF606C7 malware. This malware has the ability to steal and exfiltrate sensitive information and download other malware for further intrusion. Attackers often target major vendors for large companies to gain leverage into the larger company’s network.
Analysts observed two malicious email subject lines both using “MV OCEAN LEADER” as part of their malicious subject lines. The first subject line is “RE: Re: MV. OCEAN LEADER - REQEUST SUPPLY AT BINTULU” and the second is “MV OCEAN LEADER / DEPARTURE REPORT AT BINTULU PORT.” There does not appear to be any clear specific connection between the MV Ocean Leader and Bintulu Port (Malaysia).
The sender alias used in both email is “oceanleader@sea-one.com” however, one email was sent from “asad.khan[at]a-plus[.]tv” and one was sent from “trafico.logistics@emqro.com.mx.” It appears the sender is trying to impersonate himself/herself as an employee of Sea One Holdings, LLC. This company is a logistics company which works in the natural gas and natural gas liquids industry. The attacker is using the alias with “…sea-one[.]com,” but the legitimate company uses the “seaone[.]com” domain. This is a quite simple example of typosquatting in use.
The target of these malicious emails is an email address owned by Kyungwon Shipping Co., Ltd. The company was founded in 2014 as a “national foreign carrier.” The targeted email address is listed publicly in open source on a recruiting webpage.
These analysis results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Pre-empt, don't just defend
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
Related Posts
Maritime Cyber Security & Threats Sep 2020 Week..
Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted..
Maritime Cyber Security & Threats Sep 2020 Week..
Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted..
Maritime Cyber Security & Threats January 2021..
Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime..