Maritime Risk Intelligence Blog

Maritime Cyber Security & Threats Aug 2020 Week Two

Written by Dryad Global | August 17, 2020 at 12:06 PM

Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted attacks within the maritime sector.

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Malicious Email collectino 8 Aug-15 Aug 2020

 First Seen

Subject Line Used

Malware Detections

Sending Email

Targets

Aug 10, 2020

=?UTF-8?B?5Zue5aSNOiDlm57lpI06?= FOB LCL SHIPMENT EX-SHANGHAI TO\r\n CHITTAGONG; SHPR/SHANGHAI HONSUN

Trojan:Script/Wacatac.C!ml

Shi Hongjun <d.ahrens@ep-online.de>

rightel.ir

Aug 10, 2020

RE: LCL SEAFREIGHT SHPMT QUOTATION C/ RFQ LCL

Trojan:MSIL/AgentTesla.VN!MTB

“Mercè Sanabra” <1b126a92b@dcd940d7db.com>

2010546c.biz

Aug 10, 2020

Freight idea for 2.5k VAM from Ulsan to Zhanjiang

Trojan:MSIL/AgentTesla.VN!MTB

"PeiChi Ong" <peich@quincannon.com.sg>

quincannon.com.sg

Aug 10, 2020

MV HUA KAI V-2023 AGENCY NOMINATION

Trojan:MSIL/AgentTesla.VN!MTB

"lysun1973@163.com" <lysun1903@163.com>

163.com

Aug 10, 2020

Re: Abholung der Container/ Auftrag B2001-001627

TrojanDownloader:O97M/Emotet!rfn

"'ls@kr-feuerfestmontage.de'" <operation01@xuantruongtransport.com.vn>

container.de

Aug 10, 2020

MV VINDONISSA TBN to discharge abt 56k mt coal of bulk

Exploit:O97M/CVE-2017-11882.ARJ!MTB

AUSCA SHIPPING HK LIMITED <e56cdae2f91e@bdf5e56.com>

5252c50c8.lk

Aug 10, 2020

MV DAEWOO TBN EPDA/PORT INFO ENQUIRY

HEUR:Trojan-Downloader.Script.Generic

FUYUAN SHIPPING CO.,LTD <5492ca45f0@87f689b05430b8.COM>

a694174ef.com

Aug 10, 2020

DHL PRE-ALERT NOTIFICATION: IDN-H-MOH // CIP-OCEAN

Trojan:MSIL/AgentTesla.VN!MTB

DHL SHIPMENT DELIVERY <Totaltrack@dhl.com>

Targets Not Disclosed

Aug 11, 2020

SUBJECT: MV. GREEN CELESTE - CREW EMBARKATION PLAN (AB)

TrojanDownloader:O97M/Emotet!rfn

"CrewYGN" <admin@tknsecurity.co.za>

withuskor.com

Aug 11, 2020

AW: RE: mv Vingaren/ Kaliningrad(Svetly),Russia - Vasteraas, Sweden/Rapeseed meal, 2000 mts//operation report

TrojanDownloader:O97M/Emotet.CSK!MTB

Holmia Bulk Shipping <armani.exchange@sinteks.com>

withuskor.com

Aug 11, 2020

Re: Weekly pill container

VBA/Agent.BIP!tr.dldr

"Raymond" <f0b06@6836c2f1a639971d9.com>

4f7c2a10a.za

Aug 11, 2020

RE: RE: unsere AB Nr. B1801-005765 Container - Umsetzung von Frankfurt zum Projekt: Offenbach Citypassage, Frankfurter Str. 39-45

TrojanDownloader:O97M/Emotet.CSK!MTB

"Marzi Stefan" <jbuae0015@jollibeeuae.com>

container.de

Aug 11, 2020

Container Ref Id: F36267

TrojanDownloader:O97M/Emotet.CSK!MTB

"Alexander Berndl" <kayee_kong@cohl.com>

container.de

Aug 11, 2020

Re: RE: RE: MAERSK STOCK REPORT - 05.22.17

TrojanDownloader:O97M/Emotet!rfn

"Vaitafao Lui" <78d6810@7c0b523dbc9c.com>

f4a27886b6939.br

Aug 11, 2020

Container Shipping Documents

Trojan:Win32/Woreflint.A!cl

"Joseph, Carlos Xavier" <joseph@caspidelivery.com>

rucls.net

Aug 11, 2020

RE: RE: PLANILLA DE COMISIONES CD ORURO, CD TARIJA Y CD IVIRGARZAMA A CARGO DE AIDISA ABRIL 2020

TrojanDownloader:O97M/Emotet!rfn

“Nicolas Peña” <680935c3d112@7a3ae27c.pk>

8461db3a02b.bo

Aug 12, 2020

RE: CHECKLISTS // Lesotho / BY SEA // NOMINATION / UNICURE /INV. U1/242/20-21

TrojanDownloader:O97M/Emotet!rfn

"Ravindra" <91b35cb@28391726e43428585.org>

2010546c.biz

Aug 12, 2020

Phoenix Freight

Trojan-Downloader.VBA.Emotet

"Phoenixfreight" <925d75@e14436cd7c4e03.com>

ad2796f954db1a.com

Aug 12, 2020

RE: LCL SUPPLY SEAFREIGHT SHPMT QUOTATION C/ RFQ LCL

Program:Win32/Wacapew.C!ml

“Mercè Sanabra” <e18c55808c@dcd940d7db.com>

2010546c.biz

Aug 12, 2020

RFI for XL MV MS Project

Trojan:MSIL/AgentTesla.P!MTB

"Damai Desnathalya Latjuba" <damaidesnathalya@huawei.com>

huawei.com

Aug 12, 2020

DORIKO - MV. SEA COEN - CHECKLIST

VBA/Agent.BIP!tr.dldr

"Ms. San San" <obravo@andinor.cl>

'Lee Won-gun' <wglee@withuskor.com>

Targets Not Disclosed

Aug 12, 2020

2020 Garyville Barge Log.xlsm

WORM.Virus

"Brindley, Katie" <kabrindley@marathonpetroleum.com>

savageservices.com, saigulf.com, marathonpetroleum.com, stjohnfleet.com, marathonpetroleum.com, canalbarge.com,

Aug 13, 2020

FW: Request for quotation MV Crystal BAY

Exploit:O97M/CVE-2017-0199.YA!MTB

Hangzhou Chinastars Reflective Material Co.Ltd <coco@chinastars.com.cn>

Targets Not Disclosed

Aug 13, 2020

FW: Request For PDA and Liner Expenses

Trojan:Script/Casur.A!cl

Chai Chin Ling(LCTM Engineering) <clchai@lotte.net>

lotte.net

Aug 14, 2020

MV.TBN /port info

Trojan:Script/Oneeva.A!ml

H-LINE SHIPPING CO., LTD <ace6@db2b22d0e5ca78.com>

910ac430f.com

Aug 14, 2020

RE: JEBEL ALI LCL SHIPMENT

VBA/Agent.BIP!tr.dldr

"Megha Borade" <473b283c@638220aec64.com>

2010546c.biz

Aug 14, 2020

MV CHINALAND TBN/ PORT AGENCY APPOINTMENT

Trojan:Win32/Woreflint.A!cl

ops@chinalandshipping.com.cn

phoenix-tc.com

Aug 15, 2020

Mail from 913fb37cb8f94e@e742ef0b0be9b8.mv - CreditControl SunIsland\r\n Resort & Spa

TrojanDownloader:O97M/Emotet.PEC!MTB

"CreditControl SunIsland Resort

<913fb37cb8f94e@e742ef0b0be9b8.mv>" <bc62e6@7c3eafa.hk>

c6ca75ba10c30.nz

Aug 15, 2020

RE: MV \"Nina\" - - PROFORMA - PDA

Trojan:MSIL/Formbook.VN!MTB

Ancomarine yux <99703cc@9e1dc5c932.com>

a694174ef.com

Aug 15, 2020

Fwd:Re: CONSIGNEE CONTACT DETAILS***RE: Shipped On Board / Vsl: NYK THEMIS Voy-065E / UACU 5339210 (40)/HC, B/L: MU19S0036894, Shipp

HEUR:Trojan.MSOffice.SAgent.gen

"Hvd International" <9e438d8a7b@f6c8b69f910da5702dc0.com>

2010546c.biz

Aug 15, 2020

RE: Re: 38363 ==== RE: JEBEL ALI LCL SHIPMENT

TrojanDownloader:O97M/Emotet.RKC!MTB

"KIRAN Live" <2ede8@2b63e043d0c8a.zw>

2010546c.biz

I

Top 5 Malicious Maritime Subject Lines

Subject Line used

Email Sender using Subject Line

Times seen

MV CHINALAND TBN/ PORT AGENCY APPOINTMENT

ops@chinalandshipping.com.cn

13

DHL PRE-ALERT NOTIFICATION: IDN-H-MOH // CIP-OCEAN

DHL SHIPMENT DELIVERY <Totaltrack@dhl.com>

7

RE: CHECKLISTS // Lesotho / BY SEA // NOMINATION / UNICURE /INV.

"Ravindra" <4c37@016cb9.com>

5

2020 Garyville Barge Log.xlsm

"Brindley, Katie" <kabrindley@marathonpetroleum.com>

5

Vertrag

"amsn Comptabilite <588a920585a7@7e52.fr>" f04e2@8829f430a.vn,
"Paul Graham <c13e@74a99807cd4f2db8.ie>" 2beaad@e67244fbdd80.uk, "Miss Fabienne Tagro" 2a172f344cda@cb7148d9ccd2.br, "Heiner Haase" <sales@sf-egypt.com>

5

 

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Crystal Bay” and the “MT Green Celeste” among others. The same vessel “Jebel Ali” has been observed in unique malicious email subject lines for approximately 1 month.

Analysts observed the malicious subject line “2020 Garyville Barge Log.xlsm” being used this week. This malicious email was sent to numerous targets across multiple different companies. The email spreads worm malware that propagates itself as often as possible.

This malicious email appears to come from a scheduler at Marathon Petroleum Corporation "’Brindley, Katie’ <kabrindley@marathonpetroleum.com>”. While the attacker may have simply impersonated this employee, the targets are more likely to trust a legitimate employee from a large company such as Marathon Petroleum. Employees at the following companies were targeted:

  • Savage Services
  • SAI Gulf, LLC.
  • Marathon Petroleum
  • John Fleeting, LLC
  • Canal Barge

The malware being spread in this case is WORM.Virus malware. Worms can modify and delete files, and they can even load additional malicious software onto a victim’s device. They are often spread via email as in this case.

The email body simply contains an advisory that the email originated from outside of the target’s network and to handle accordingly. There is no message from “Katie” indicating why the attached files were sent, further indicating that this is not a benign email.

Analysts observed two separate malicious emails being sent from two unique email addresses. Each of the emails contained TrojanDownloader:O97M/Emotet.CSK!MTB malware. Red Sky Alliance continues to see Emotet activity across multiple industries, but specifically the shipping industry.

The two email addresses sending malware to the targets are “’Marzi Stefan’ jbuae0015[at]jollibeeuae[.]com” and “’Alexander Berndl’ kayee_kong[at]cohl[.]com.” Jolibee appears to be a fast food restaurant based in the UAE. COHL is the China Overseas Holdings Limited. It is unclear as to why attackers would use these two companies to target the victims. These are more likely spear phishing attempts as the language between the two emails varies. One is targeted with an English email; the other message contains Dutch text.

Both targets were using container[.]de email addresses indicating they are employees at ELA Container out of Germany. Although neither of the targeted emails were found in open source, one of the targeted employees advertises on social media that they are the head of purchasing for the company. Attackers would likely view this employee as a high value target. The employee almost certainly has access to sensitive financial information and customer/vendor data.

Both malicious attachments in this case were MS Word documents “Buchhalt_11_08_2020_7206601524.doc” and “Inv_34044.doc.” Emotet malware continues to advance and evolve to steal more data while attempting to avoid detection. It even has the ability to detect if it is operating in a virtual environment making analysis more difficult. This malware acts as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses.[1]

 

[1] https://www.malwarebytes.com/emotet/

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.