Maritime Risk Intelligence Blog

Maritime Cyber Security & Threats Aug 2020 Week One

Written by Dryad Global | August 10, 2020 at 8:29 AM

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

 First Seen

Subject Line Used

Malware Detections

Sending Email

Targets

Aug 1, 2020

Documents for the Sea shipment(MATZ MAERSK / 017W , ETA:2/08)

Exploit:O97M/CVE-2017-11882.AT!MTB

jyun@woohyunshpg.co.kr

phoenix-tc.com

Aug 1, 2020

Re: Ocean Shipment #CS004347 - ARRIVAL

JS.Heur.Morpheus.8.Gen

Mohamed hesham <mohamedhesham_232012@hotmail.com>

Targets Not Disclosed

Aug 1, 2020

Freight Inv Confirm A/C ENERGY TRANS INDUSTRIAL CO.,LTD

TrojanDownloader:O97M/Obfuse.YO!MTB

ENERGY TRANS INDUSTRIAL CO.,LTD

ecfbb38e91a.sg

Aug 2, 2020

URGENT - Pda, port info - loading bagged rice   LT TBN 38

Exploit:O97M/CVE-2017-11882.AT!MTB

Simon Schlegel <07e05c44ac84582@86b660.com>

d397f.com

Aug 2, 2020

// SHIPMENT ADVISE // SEA SHIPMENT/28CTNS HB/L # DAC0024943 COB: 02-AUGUST-2020

Trojan:Win32/Wacatac.C!ml

CONG TY TNHH SOUTH SUNRISE <purchase@southsunrise.com.vn>

electroputere.ro

Aug 2, 2020

Mail from caf9@91f29e7f0.com - Info R-Freight

TrojanDownloader:O97M/Emotet.FSK!MTB

"Info R-Freight <caf9@91f29e7f0.com>" <2928dd247@7c8680829.com>

79f8dc.com

Aug 3, 2020

subject vessel calling Longkou port, pls kindly submit pda for attached voy=

Trojan:MSIL/AgentTesla.VN!MTB

"Jerry Lv - sinoagent" <g.agent@sinoagent.com>

sinoagent.com

Aug 3, 2020

MV PANAMAX BREEZE calling Longkou

Trojan:MSIL/AgentTesla.VN!MTB

"Jerry Lv - sinoagent" <g.agent@sinoagent.com>

sinoagent.com

Aug 3, 2020

air freight shipment

Trojan:Win32/Wacatac.C!ml

"jimmy.mehta@adityabirla.com (Nadine Talmon)" <jimmy.mehta@adityabirla.com>

altn.com

Aug 3, 2020

[DHL] SC# 84979926 Cargo Delivery

Trojan:Win32/Wacatac.C!ml

Anunayi Kumari Kar {DHL}<Procurement_Help_IN@dhl.com>

silloptics.de

Aug 3, 2020

Fw:RE: Container shipment PL PI984132

Trojan:Win32/Wacatac.C!ml

Serena <deba8a67a@f80cb250.de>

589ab18.com

Aug 3, 2020

[YIC] JULY-09 SEA SHIPPING DOC.

Trojan:MSIL/AgentTesla.MK!MTB

Imiso (Miso_Lee)

<odessa@amicavia.com.ua>

Targets Not Disclosed

Aug 3, 2020

MV OCEAN HERO : CTM DELIVERY

Exploit:O97M/CVE-2017-8570.BK!MTB

"Hanaro Marine Suppliers, S.A." < hanaro-csi@ikmc.net>

ikmc.net

Aug 4, 2020

RFI for XL MV MS Project

Trojan:Win32/Wacatac.C!ml

"Damai Desnathalya Latjuba" <damaidesnathalya@huawei.com>

huawei.com

Aug 6, 2020

FW: E-1029 - LENIGME 26.06.20     1 x 20\'GP -Invoice & Images Container load 26.06.2020

TrojanDownloader:O97M/Emotet!rfn

"Charlene Olivier" <f754e2a3@04874143b17320a287808.com>

25e47a6fc.za

Aug 6, 2020

Vessel Antivirus out of date,#uid: 9406465 in AVSupport

TROJ_GEN.F0D1C00BG20

"Port-IT Support Desk" <strio@port-it.nl>

amosconnect.com

Aug 7, 2020

FDA reminder for Port / FDA Pending/ 2 / Singapore / NAF1900479 / 03-Dec-2019 / 04-May-2020

Trojan:Win32/Wacatac.C!ml

Disbursements <326cc10d11d7@21f579.biz>

b93c9277eafd7.com

Aug 7, 2020

MV Olympic V.1812//Request For EPDA and Liner Expenses

Trojan:Win32/Wacatac.C!ml

"Louis" <sumin@paddocksjeans.com>

Targets Not Disclosed

Aug 7, 2020

Rise of Piracy at Sea 2020/Maritime Security

Exploit:O97M/CVE-2017-11882.AT!MTB

Operations

Al Safina Security<caf9@8f87a1cadb65d9c2.ae>

2010546c.biz

Aug 7, 2020

RE: Re: MV HUA SHAN CALLING / FDA

Trojan:Win32/Wacatac.C!ml

"E.S." <escho@dyulc.co.kr>

Targets Not Disclosed

Aug 7, 2020

Inquiry PDA at Incheon(S.S. Pacific Enlighten)

Trojan:Win32/Wacatac.C!ml

<y.yamaya@lngmt.jp>

Targets Not Disclosed

Aug 7, 2020

RE: Container

VBA/Agent.BIP!tr.dldr

"Aurea Stemmer" <c761dc695@a22fe881a75.com>

bdfb73ebf704abc9a.com

Aug 7, 2020

=?UTF-8?B?5Zue5aSNOiDlm57lpI06?= FOB LCL SHIPMENT EX-SHANGHAI TO\r\n CHITTAGONG; SHPR/SHANGHAI HONSUN

HEUR:Trojan.Script.Generic

Shi Hongjun <d.ahrens@ep-online.de>

rightel.ir

I

Top 5 Malicious Maritime Subject Lines

Subject Line used

Email Sender using Subject Line

Times seen

SHIPPING DOCUMENTS

“Jobin Philipose” <info@manhal.com>, “MAERSK LINE” <a32@fd8e08.com>, <c13e@fd8e08.com>, <078c0@fd8e08.com>, <8a94bdf@fd8e08.com>

32

RFI for XL MV MS Project

"Damai Desnathalya Latjuba" <damaidesnathalya@huawei.com>

6

(350920) Vessel Antivirus out of date,#uid: 9406465 #18

"Port-IT Support Desk" <strio@port-it.nl>

6

Delivery Notice: confirm your order

Port Express Note <0d0de9fed9e@0b91dfc.cn>

6

FW: E-1029 - LENIGME   26.06.20   1 x 20\'GP -Invoice & Images Container load 26.06.2020

"Charlene Olivier" <14bf666a9b6a643e@cf1b7b234fe43bde.it>, "Charlene Olivier" <f754e2a3@04874143b17320a287808.com>

5

 

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Panamax Breeze” and the “MT Marine Hope” among others.

Analysts observed the malicious subject line “MV Olympic V.1812//Request For EPDA and Liner Expenses” being used this week. “MV Olympic” has been observed in numerous malicious email subject lines in the past. The vessel is popular in Washington State for its historical value as a Washington State Ferry. The exact same subject line has been used by the following senders beginning in January 2019:

  • “Najima Yuki” <jpnjm[at]hmm21[.]com>
  • “Millenia Maritime Inc/Supply Department [mailto:purchasing[at]millenia[.]gr]”
  • “SOUTHERNPEC (S’PORE)_SHIPPING_PTE_LTD” <lau[at]southernpec[.]com[.]sg>
  • "LX MARINE CO.,LTD" <lxm[at]lxmarine[.]co.kr>
  • "Louis" <sumin[at]paddocksjeans[.]com>

The attacker in this most recent case is sending from "’Louis’ <sumin[at]paddocksjeans[.]com>.” The signature shows that the sender “Louis Lau” is an Operations Executive with “SOUTHERNPEC (S’PORE) SHIPPING PTE LTD” which is listed above as one of the sending alias’. In other words, the sender identifies themselves as Louis Lau multiple times, but sends the malware from different email addresses.

As you can see above, the email address listed in the signature (lauxh[at]souternpec[.]com.sg) is very similar to one of the sending email listed above (lau[at]southernpec[.]com.sg). It is likely that someone is leveraging this operations executive’s position to commit cyber-attacks. As with many of the observed malicious emails, this one contains a generic “Good Day” greeting so it can be used to target multiple recipients.

When the target opens the attachment “MV Olympic V.1812Request for EPDA and Liner_Expenses_pdf.rar” they may think that they are opening a PDF containing a “vessel description.” However, they would actually opening a RAR file and activating Spyware.AgentTesla malware, which has the ability to steal sensitive data from the victim and leaves the attacker the opportunity to install other malware for future cyber-attacks.

Analysts observed another malicious email subject line being used 回复: 回复: FOB LCL SHIPMENT EX-SHANGHAI TO CHITTAGONG; SHPR/SHANGHAI HONSUN.The sender uses a generic greeting in this email just as we see with other spam malware campaigns. There are multiple indications that this email is malicious.

The sending email address is “d.ahrens[at]ep-online[.]de,” however the reply-to address is “reliablesalosusa[at]outlook[.]com.” While the EP-Online domain does not appear to lead to a valid website, it is possible the attacker was attempting to spoof the ElectronicParter (EP[.]de) company. Although the sender’s name in the email header is “Shi Hongjun,” the email is signed by “Monice Maria Mesa” (the Manager at Inexport Logistics LLC in US, Florida). All of these contradictions further indicate the email as malicious.

The target appears to be an employee at Rytl in Iran. Rytl is a telecoms provider in Iran. The employee’s position at the company is unclear. When the recipient opens the .html attachment disguised as “PO56#45.html,” they are actually activating a fake webpage which attempts to steal their MS Office credentials. When opened, the html file requests the sign in credentials so the user can view the spreadsheet in Excel. When the target enters their credentials, they are then exfiltrated to a server owned by the attacker.

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.