Maritime Cyber Security & Threats Jul 2020 Week Two

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

I

Top 5 Malicious Maritime Subject Lines

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV TBN” (To Be Named) and “MV Arkadiy Chernyshev” among others. “MV Arkadiy Chernyshev” has been observed in malicious email subject lines as far back as December 2019. Collections data also continues to show “Ushasiam <samran@ushasiam.com>” sending malicious emails to recipients at safeguard-technology. It is unclear if the attacker is automating the sending of these emails as all the header information (sender, recipient, subject line, malware sent, etc.) remains the same. The domain is to Usha Siam Steel Industries and is the largest wire rope manufacturer in Thailand, so these attacks are likely to continue.

As with last week, analysts observed the same motor vessel being used in two unique subject lines - “MV PRABHU SAKHAWAT NOMINATION” and “MV PRABHU SAKHAWAT APPOINTMENT.” This vessel is currently sailing under the Indian flag from Japan to Indonesia.  The main difference between these subject lines and the two used last week is that the sender is unique for each subject line. Each subject line is also used to target a unique victim.

The first malicious email impersonates Wilhelmsen Ships Service which claims to have the world’s largest maritime services network. When it comes to developing a positive business plan, having a massive network is great. However, having an expansive network means you have much to protect. The second email sender identifies himself as Sunnytrans Co., Ltd. Both companies are part of the Wilhelmsen Sunnytrans Co., Ltd joint venture between Wilh. Wilhelmsen of Norway and Sunny Transportation of Vietnam.[1]

As seen below, there are a few key points to compare and contrast the malicious emails that were sent. One malicious email uses the term “appointment” instead of “nomination” in the subject line, but it is also notable that the names of the attached files are unique. Both emails contain 1 malicious MS Excel and 1 malicious MS Word file attachment. In the “nomination” email, the attacker uses the vessel name in the Word filename and the term “VSSL” (often an abbreviation of vessel) in the Excel filename. These are both files that attempt to disguise themselves as legitimate business documents. The “appointment” email, however, uses filenames that do not give any description of what is contained inside (“0000272277272.xlsm” and “DOCX.doc”). This type of activity likely indicates a group of attackers instead of one individual sending separate emails.

CVE-2017-11882 remains as one of the most common exploits seen in Red Sky Alliance collections. While there is a security update available to mitigate this risk, the attackers in this case attempt to exploit this vulnerability with the attached MS Word documents. They may have had unique filenames, but both .doc attachments contained Exploit:O97M/CVE-2017-8570.BBE!MTB malware. This malware can act on behalf of the victim with the same permissions as the current user. In other words, if a victim is signed into a user account with escalated privileges, then the attacker would obtain that same access.

Analysts observed another malicious email which was identified as spam by a email filter “[***SPAM*** Score/Req: 04.70/4.4] OFFICAL ARRIVAL NOTIFICATION - MV STELLAR WALVIS BAY VOY 028E / BILL\r\n OF LADING - ETA 2020/07/17.” The obvious question becomes “who in their right mind would open an email clearly labeled as ‘spam’ by a webmail filter?” One would argue that any untrained employee might open this email if they found the rest of the subject line interesting enough.

Although a company like Maersk likely has a strong cybersecurity infrastructure in place, especially after NotPetya in 2017, this is a prime case study of an impersonation attempt. The attacker impersonates Maersk while targeting employees at the company. This is a common tactic that bad actors use while targeting a company. In this case, a user may see that the subject line says spam, but the sender header says it is from “Maersk” and open the email anyway.

The sender uses the alias “MAERSK-LINE” but the sending address is “Maersk@ jeragh-lighting[.]com.” There is a website registered to that domain (jeragh-lighting[.]com) for a lighting company in Kuwait. It is possible this is an email which is used for communications specifically between Jeragh Lighting and Maersk. What is also unclear is if the email is a legitimate email that was taken over by an attacker or if this account was specifically created to commit attacks against Maersk. The sender was targeting the customer care email at Maersk.

The message body contains a Maersk logo and appears professional. The sender signs the email as “Roy Jones, Customer Service, Caribbean Third Party Agents-Guyana” and references an attached “Official Arrival Notification and Bill of Lading copy” PDF. The attached file is not actually a PDF, however.

The attached file is an image named “MAERSK_BILL OF LADING_910727869.pdf.img.” Even though the file name contains “pdf” it is actually a .img file containing PWS:Win32/Fareit.AQ!MTB malware. Fareit malware, originally discovered in 2012, routinely undergoes changes in its code to bypass antivirus and IPS detection. According to TrendMicro, its most common routines include:

• Steals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software
• Steals stored email credentials of different mail clients
• Gets stored information such as usernames, passwords, and hostnames from different browsers
• Performs brute forcing capabilities on local accounts based on acquired password list
• Replicates other Remote Desktop Protocol (RDP) utilities’ mutexes to mask execution in the background, then deletes itself after execution
• Downloads additional malware payload[2]

While many people are trying to manage the shifting cyber landscapes of 2020, attackers continue to use tried and true malicious TTP’s. Tactics such as disguising email senders, filenames, and other parts of an email message may be partially aimed at bypassing technological filters, but they are mostly aimed at tricking the person reading the email. If you can get a malicious email to a user with escalated privileges, it may get flagged as malware, but often the human can override that alert and activate the malware anyway. This may sound foreign to those trained in cyber, but how much do you think a business employee cares about their privilege level or AV alert when they are in a rush to download a client file/request? A better question is how much are you willing to bet on your employees’ level of awareness?

[1] http://sunnytrans.com.vn/san-pham/41/liner-logistics.html

[2] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/fareit

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

• Train all levels of the marine supply chain to realize they are under constant cyber-attack.
• Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
• Provide practical guidance on how to look for a potential phishing attempt.
• Use direct communication to verify emails and supply chain email communication.
• Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.