Maritime Risk Intelligence Blog

Maritime Cyber Security & Threats Aug 2020 Week Four

Written by Dryad Global | September 2, 2020 at 9:03 AM

Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted attacks within the maritime sector.

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Malicious Email collectino 22 Aug-29 Aug 2020

 First Seen

Subject Line Used

Malware Detections

Sending Email

Targets

Aug 22, 2020

MV FIRSTEC - PORT CALL FOR BUNKERING AT ZHOUSHAN ANCHORAGE

Trojan:MSIL/AgentTesla.YP!MTB

Yidance Singapore - Operation Team <fix1@yidance.sg>

yidance.sg

Aug 22, 2020

RE: JEBEL ALI LCL SHIPMENT

TrojanDownloader:O97M/Emotet!rfn

"megha.borade" <965dbaa@26dd9f2.com>

2010546c.biz

Aug 22, 2020

Re: [SPAM] RE: 38363 ==== RE: JEBEL ALI LCL SHIPMENT

TrojanDownloader:O97M/Emotet!rfn

Naved Ahmad <3e722a825d56a@2dd400a53b39.com>

2010546c.biz

Aug 22, 202029

RE: Sea Shipment from Viraj..to Alpinex..// Nhava Sheva India to Poland..// Booking Import N. P379702020 S/ VIRAJ SYNTEX (P) LT

 

 

VBA/Agent.GC!tr.dldr

"MAHALAXMI BL" <a1b29@dc93e335d7395e99221a2be.tr>

2010546c.biz

Aug 22, 2020

Fwd:RE: LCL SHIPMENT HAMBURG BL DRAFT

VBA/Agent.GC!tr.dldr

Megha Borade <ad76@44eb3fa638a5.com>

2010546c.biz

Aug 22, 2020

RE: JEBEL ALI LCL SHIPMENT

VBA/Agent.GC!tr.dldr

"Megha Borade" <20c90ad@d9b7f1cb73.bw>

2010546c.biz

Aug 24, 2020

Norstar Baltic // 10,000mt Benzene // PDA Request

Trojan:Win32/Woreflint.A!cl

Operation dept. <sm.ops@dowausa.com>

hansol.com

Aug 24, 2020

pda request | port info

Trojan:Script/Wacatac.C!ml

"Afzal Dawood Exports"<afzal.Exports@dawoodtex.com>

fishandbait.com

Aug 25, 2020

LCL sea freight from Croxley - Southern Lily V396 - ETA Apia 14/01/17 - 12 pallets

VBA/Agent.K!tr.dldr

"Triss-Ann Pomare" <1140d@0463f12adb.vn>

bb92.ws

Aug 25, 2020

VESSEL LIST 24-08-2020

TrojanDownloader:O97M/Powdow.PBL!MTB

shaalanco@interlink.com.eg

ntslog.com

Aug 25, 2020

RE: Emu Debit Note - 884 // 354411 // Dammam Sea Port//(1x40\'HC+)

VBA/Agent.GC!tr.dldr

"Geeta Pujari" <498dd9d0@791a19d5d69f6b.vn>

2010546c.biz

Aug 25, 2020

Re: Sea Freight for Zabou orders

VBA/Agent.GC!tr.dldr

"Mohammed Patel" <caf9@bffcc0115bf57.za>

2028c41d.uk

Aug 25, 2020

RE: 38363 ==== RE: JEBEL ALI LCL SHIPMENT

VBA/Agent.GC!tr.dldr

"Megha Borade" <4acdf0f1f8b@c81.af>

2010546c.biz

Aug 25, 2020

Re: Freight / Savannah

VBA/Agent.GC!tr.dldr

"FUMATEX,INC" <263bc@d70612cc.com>

8882cf4e69.com

Aug 25, 2020

RE: CHECKLISTS // Lesotho / BY SEA // NOMINATION / UNICURE /INV. U1/242/20-21

VBA/Agent.GC!tr.dldr

"Vinod Patidar" <aa4b6@12da95fa9a1f3a3.gt>

2010546c.biz

Aug 25, 2020

RE: RE: Freight quote for Daco

VBA/Agent.GC!tr.dldr

"Erin Ortolano" <21bf9510b3dfb7b@f7785.pl>

753f0cc723d.com

Aug 25, 2020

RE: JEBEL ALI LCL SHIPMENT

HEUR:Trojan.MSOffice.SAgent.gen

"Megha Borade" <608a105@380a499d9.com>

2010546c.biz

Aug 25, 2020

RE: JEBEL ALI LCL SHIPMENT

VBA/Agent.GC!tr.dldr

"Ibrahim@relianceuae.ae" <76a215e@b045717e.mx>

2010546c.biz

Aug 25, 2020

R: Re: Overweight container

HEUR:Trojan.MSOffice.SAgent.gen

"Aamir Khan" <957254c06ba7@283cb8ea271cc2.ar>

8882cf4e69.com

Aug 27, 2020

M.V. MURPHYLEE CTM REQUEST ETA 06th SEPT. 2020

Fareit-FYV!B878C3A2D2AC

"pm@kcc.org.hk" <pm@kcc.org.hk>

Targets Not Disclosed

Aug 27, 2020

RFQ for Offshore Drilling Equipment\'s,Refineries & petrochemical plants,AHU,FCU, Pipe, Valve, Pump, Fittings and Heat Recovery Unit

Trojan:Win32/Woreflint.A!cl

Senders Not Disclosed

Targets Not Disclosed

Aug 27, 2020

RE: 6630 ==== RE: [SPAM]- RE: A.J.IMPORT & EXPORTS VANCOUVER LCL

TrojanDownloader:O97M/Emotet!rfn

"MAHALAXMI BL" <515405dd1b68244@a37aae624.tr>

2010546c.biz

Aug 27, 2020

RE: 37674........................RE: TORONTO LCL SHIPMENT

Trojan-Downloader.VBA.Emotet

"Satish Verkia" <86426b337@5afaa429.com>

2010546c.biz

Aug 27, 2020

Re: Hakata Queen- / ALTAMIRA / LOI FOR DISCHARGE CARGO

Trojan-Downloader.VBA.Emotet

"HAKATA QUEEN" <26674@a5e39b.com>

29ec7f830831.mx

Aug 28, 2020

RE: FW: WKW Ref:530/19/36696/C: TOMO REF : 067/19/INS/W- Permintaan survey kerusakan pulp ex Bg Marcopolo 212 ex MV Glory Forwarder

Trojan-Downloader.VBA.Emotet

"Sumardi" <abbec9b9d6f@39a9b313ab02c9595d0f.br>

b4bd8b7c1f5a.com

Aug 28, 2020

Re: Request Survey Off Hire - LCT Victoria Jaya, Ciwandan Port

Trojan-Downloader.VBA.Emotet

"Daniel Onggang Siregar" <e010b3@e192e6d99fe557d6718.com>

b4bd8b7c1f5a.com

Aug 28, 2020

Re: RE: LAB SURVEYOR Merak & Surabaya Vessel MT. TIGER SPRING

VBA/Agent.DDV!tr.dldr

"budi@tomosurveyor.com" <206c826040ede96a0@4e50c5d290d779dfcf2e.gh>

b4bd8b7c1f5a.com

Aug 28, 2020

Re: Re: Cargo supervisor/surveyor di SPOB Lucinda

Trojan-Downloader.VBA.Emotet

"Aad ." <358bf@317dc2f001ed.br>

b4bd8b7c1f5a.com

Aug 28, 2020

RE: RFQ No.19/2017-18 for Sea freight for Haz Consignment on EXW

VBA/Agent.DDV!tr.dldr

"Daksha Shinde" <d59b3112ff5b1d10@ed9080cb.eu>

2010546c.biz

Aug 28, 2020

RE: 38363 ==== RE: JEBEL ALI LCL SHIPMENT

TrojanDownloader:O97M/Emotet!rfn

"KIRAN Live" <cbb7b2fc2ef5bcaa@b09ef6a8348823.ao>

2010546c.biz

Aug 28, 2020

RFQ for Offshore Drilling Equipment\'s,Refineries & petrochemical\r\n plants,AHU,FCU, Pipe, Valve, Pump, Fittings and Heat Recovery Unit

Trojan:MSIL/AgentTesla.YP!MTB

“Muhannad Attalla” <mohannad@moiss.ae>

ana-iq.com

Aug 28, 2020

Fwd: Planing Vessel & local Batam Maret 2020

VBA/Agent.DDV!tr.dldr

"port.batam@cemindo.com" <7577e@9daf.vn>

726bfbd.com

Aug 29, 2020

RE: Request flight booking for MV. SEA FUTURE off signers at INCHEON, KOREA

TrojanDownloader:O97M/Emotet.PEC!MTB

"Ms. San San" <accounts2@princehr.com>

withuskor.com

Aug 29, 2020

Mix container 2 purchase orders

Exploit.RTF-ObfsStrm.Gen

kelly.mfc.china@mikado-foods.de

argomarine.co.kr

I

Top 5 Malicious Senders

Sender

Malware Sent

accounts2@princehr.com

TrojanDownloader:O97M/Emotet.PEC!MTB

crew@withuskor.com

HEUR:Trojan.MSOffice.SAgent.gen

info@baltic-sea-forum.org

HTML/Agent.6B99!tr

h.lobian@ana-iq.com

Trojan:MSIL/AgentTesla.YP!MTB

katiegoldsbury@ravalliheadstart.org

VBA/Agent.DDV!tr.dldr

 

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MT Tiger Spring” and the “MV Glory Forwarder” among others. Analysts continue to see multiple malicious emails from different senders using “JEBEL ALI LCL SHIPMENT” as part of the subject line. It is still unclear why this specific port is being leveraged in malicious email subject lines, but the specific use of “LCL” (Less than a Container Load) is appearing more often in malicious email subject lines.

Analysts observed the malicious subject line “Mix container 2 purchase orders” being used this week. This email appears to be a purchase order coming from a German food company to a Korean marine company. Emails coming from foreign countries can prevent a targeted victim from becoming immediately suspicious when there is incorrect spelling and/or grammar in the malicious email.

The malicious email appears to be sent from “kelly.mfc.china[at]mikado-foods[.]de” which does not appear anywhere publicly in open source data. However, Mikado Foods has “bonnie.mfc.china[at]mikado-foods[.]de” listed as a contact for Mikado Foods China Co., Ltd. The malicious sender appears to have sent malicious emails in July 2019 as well. At that time, attackers were targeting a Belarusian Bank BelVEB OJSC. The sender does not have any name listed in the email signature, only contact details.

Notably, the email greets the specific target by their name which makes it more likely that this is a spearphishing attack. In the email message, the attacker tells the target to find 2 attached purchase orders, but there is only one attachment. The email also instructs the target to “please load (the first purchase order) and then (the second purchase order).” Often malware works in stages, so it is possible the attackers are attempting to get the target to activate the malware in a certain order.

The targeted email address does not appear publicly in open source. The targeted domain is used by Argo Marine Total, which is a maritime inspections and logistics company out of Korea. It also does not clearly indicate which department/division the email would be sent to. It is common for these types of malicious “purchase orders” to target the billing/accounting department to steal sensitive data or commit other cyber-attacks against the company.

If the target were to open the document titled, “M I K A D O® foods.doc,” they would activate HEUR:Exploit.MSOffice.Generic malware on their machine which in this case exploits CVE-2017-11882. This is one of the most common observed exploits leveraged by attackers. The malware can surreptitiously receive commands from a command and control server run by attackers. Using this access, attackers can exfiltrate sensitive company information including passwords, and financial data.

Analysts observed another malicious email subject line being used “RE: Request flight booking for MV. SEA FUTURE off signers at INCHEON, KOREA.” This email is disguised as a “flight booking” request for the MV Sea Future off signers. This is likely a reference to travel arrangements for crew changes. Due to CoViD-19, this type of request would not be completely uncommon. This vessel is currently in the East China Sea.

The email is being sent from “Ms. San San” at accounts2[at]princehr[.]com. Prince HR Services is a staffing service based in Delhi, India. The sending email does not appear in the Red Sky Alliance breach data, so it is more likely that this user is being spoofed. The email seems relatively professional and addresses “Ms. So Mi” which indicates this is a targeted attack as opposed to a spam campaign template which typically addresses “Dear Sirs/Ma’am.” Because of COVID-19, international crew changes has been a contentious issue and is a very good lure.

The referenced document is titled “661081608860286.doc.” When opened, the file activates TrojanDownloader:O97M/Emotet!rfn which installs the infamous Emotet malware. Red Sky Alliance continues to observe an increase in Emotet activity since July. First identified in 2014, this malware can steal sensitive banking, financial, and user information including passwords. As with many of the Emotet samples observed, the malware deletes the original Word document to make detections more difficult.

The target email is “crew[at]withuskor[.]com”, yet is specifically addressed to “Ms. So Mi.” Analysts were unable to find this particular employee listed anywhere in open source. Often attackers will target users with elevated privileges, but in the case of Emotet malware, the attackers are often looking for employees with access to financial data in order to steal the data and turn a profit.

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.