17 min read

Maritime Cyber Security & Threats Jun 2020 Week Two


Featured Image

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Vessel Impersonation Report 

 First Seen

 Subject Line Used

Malware Detections

Sending Email

Targets

Jun 8, 2020

RE: SGNYYZ200501 - SGN/TOR/00484 - LCL SHIPMENT , ATD 08 JUN 2020

Trojan:Win32/Wacatac.C!ml

“Pakorn Pichairat” <318f30d79a0bceef@ad8315d8d804.com>

cb688d@2010546c.biz

Jun 8, 2020

Subject : PDA Query -VSL- DHT-200025-1/ P\'DA ETA :10 June

Trojan:Win32/Sonbokli.A!cl

de59fa@21f579.biz

62dcbef34b@dc07877f43630b6.com

Jun 8, 2020

subject to the FIATA Model Rules for Freight Forwarding Services as adopted=

Trojan:Win32/Occamy.C41

"Rui Koh/ Kuehne Nagel" <info@mail2525.himayadar.org>

info@mail2525.himayadar.org

Jun 8, 2020

COSCO SHIPPING LINES - 7223928450 - Shipping Instruction/BL

Trojan:Win32/Wacatac.C!ml

“COSCO SHIP MANAGEMENT CO., LTD” <e35015@0ea263.com>

caf9@77389d269.com

Jun 8, 2020

MV. SYROS ISLAND - Ship\'s Documents

HEUR:Exploit.MSOffice.Generic

"Sam Manopo (Mr)" <agency@dalianputramaritim.com>

Targets Not Disclosed

Jun 8, 2020

DOOSAN RFQ(M/V NAVIOS STAR AND MV Nord Galaxy - Inquiry

Trojan:Win32/Wacatac.C!ml

“DOOSAN GROUP” <caf9@0af5f1.com>

Targets Not Disclosed

Jun 8, 2020

MV XIU SHAN supplied Japan 19.4.20

Trojan:Win32/Wacatac.C!ml

7c2cdb@4131f12cfb56.jp

a3278cc@71016727fabd5f2.jp,  7c2cdb@4131f12cfb56.jp

Jun 8, 2020

AGENCY APPOINTMENT/ MV SHOTAN /DISCHARGING/PDA

Exploit:O97M/CVE-2017-11882.L

df15ae634578@6b74fbd36.cn

9ed08@dcc762b7ba3.uk

Jun 8, 2020

MV EVIAPETROL V REQS

HEUR:Exploit.MSOffice.Generic

“SMC Marine Management Pte Ltd” <rifai@smcmarine.com.sg>

Targets Not Disclosed

Jun 9, 2020

Arrival Notice of B/L#MEDUMH763885 on Maersk received.

Trojan:Script/Wacatac.C!ml

"Maersk Line" <9aGqxq88g3bbpOZbift5y@crm.natfood.co.zw>

ventasbogota1@anquimico.com

Jun 9, 2020

LOADING DOCUMENTS // MV. GLOBE ELECTRA - TABONEO

HEUR:Exploit.MSOffice.Generic

“Abu Hasan M” <ops1@wallemsentosa.co.id>

Targets Not Disclosed

Jun 9, 2020

M/V BCC CONGO - Port Agency Appointment

Exploit:O97M/CVE-2017-11882.L

“InterTrans OPS” <operation@inter-trans.co>

jameshall@compasspub.com

Jun 9, 2020

urgentttt---RE: 3&4 CONTAINER CI

Trojan:Win32/Wacatac.C!ml

caf9@6e30d084337dfcef9.tr

caf9@32d7ba770ac725d184.com

Jun 10, 2020

[***SPAM*** Score/Req: 06.10/4.4] Dispatch Details // Invoice - EXP/23/20-21// Cont No-\r\n TGBU580623(1)40FT/Port-Norfolk//01x40ft

Trojan:Win32/Wacatac.C!ml

“Anthony Such-uni” <support001@dysonservicecentre.co.uk>

“Anthony Such-uni” <support001@dysonservicecentre.co.uk>

Jun 10, 2020

RE : RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 //\r\n MAERSK KLEVEN V.949E // CLGQOE191781 //

Exploit:O97M/CVE-2017-11882.PRB!MTB

"A.P. Moller - Maersk" <nooreply@maersk.com>

Targets Not Disclosed

Jun 10, 2020

RE: MV WESTERN TOKYO 62,647DWT / LOADING CLINKER - REQUEST FOR PDA

 

Trojan:Win32/Vigorf.A

"San Nikolla Shipmangement S.A" <shipning@san-nikolla.gr>

operations@labcosulich.com

Jun 10, 2020

RE:RE:RE: ITEM 2nd Container-Payment

Trojan:Win32/Wacatac.D!ml

"Mike(Kr)" <info@pbn.com.au>

stanasoiu@electroputere.ro

 

Jun 10, 2020

MV Premier - Spare Parts Request 11.06.2020

HEUR:Exploit.MSOffice.CVE-2017-0199.a

"TOTAL MARINE CO.,LTD." <ops@totalmarine.co.kr>

Targets Not Disclosed

 

Jun 12, 2020

Maersk: Verify Copy for Bill of Lading 6348387895 ready for verification.

Troj/Phish-GNI

“Maersk Notification” <no-reply@maersk.com>

jddgqc3@jardco.net

Jun 13, 2020

CONTAINER FOR YOUR GOODS

Trojan:HTML/Phish.JK!MTB

“1e6a24e1c6@679.com” <1e6a24e1c6@679.com>

Targets Not Disclosed

 

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.  This week we observed a wide variety of maritime-related subject lines.    Some of the new vessel names used this week include “MV EVIAPETROL V” and “MV XIU SHAN” among others. “Maersk Kleven” was used again this week. This vessel is currently flying under the Liberian flag and is a Hazard A (major) cargo ship.  It is currently headed from Charleston, US to Algeciras, Spain.

Analysts observed subject line “RE: MV WESTERN TOKYO 62,647DWT / LOADING CLINKER - REQUEST FOR PDAbeing used in a malicious email this week.  The MV Western Tokyo is a bulk carrier currently sailing under the flag of the Philippines. The carrier is in port at WAFR – Gulf of Guinea.

This email message was sent from “shipping@san-nikolla.gr” which is likely owned by San Nikolla Shipmanagement S.A.  While the company is headquartered in Albania, the sender appears to be located in Greece, based on the .gr sending domain and the phone numbers provided in the email signature.  There is a web portal login located at “san-nikolla[.]gr” and the address and phone numbers in the email signature appear to be linked to the real San Nikolla Group.  The san-nikolla[.]gr “site is down for maintenance.”

The message body contains a request for a PDA (Profoma Disbursement Account).  As with many malicious emails, the greeting is generic “GOOD DAY DEAR SIRS” and the message contains an attached .xlsx file named “WESTERN TOKYO vessel description 201907 CoA.xlsx.”  When opened, this spreadsheet would activate Trojan:Win32/Vigorf.A malware.[1]  This malware has the ability to download, install, and communicate with other malware. It also has the ability to steal and exfiltrate sensitive information from the victim’s device.

Analysts observed another malicious email which appears to impersonate the M/V BBC Congo.  The malicious email subject line used is “M/V BCC CONGO - Port Agency Appointment.”  Although there were no results found for the “M/V BCC Congo,” there is an active general cargo ship sailing under the flag of Antigua Barbuda named “BBC Congo.”  The actual BBC Congo is currently on a voyage from China to Korea.[2]  The email states the ship will discharge between 22-25 June so it is possible the email is referencing a new vessel.

The sending email operation@inter-trans[.]co” does not appear to be registered to any legitimate company or listed on any company website.  The inter-trans[.]co domain leads to a Roundcube login port with Bulgarian text saying “Welcome” and offering a user/password field.

The sender, according to the email signature is Capt. Gultekin Ozturk, the “Managing Director,” but does not identify the name of the company.   He leaves his Skype, email, and phone contacts, as well as an address based in Turkey.

With the email written in English and the sender based in Turkey, the attached spreadsheet “vsl MV BCC CONGO.xlsx” is written in Chinese text.  One of the more unusual aspects of the email is the target email address “jameshall@compasspub.com.”  This email is owned by the International Sales and Marketing Coordinator for Compass Publishing, which is a Florida, US-based publishing company.  The target does not appear to have any relevance to the maritime industry or the BBC Congo specifically.

When the victim opens the attached spreadsheet, they are actually activating Exploit:O97M/CVE-2017-11882.L malware.[3]  This malware is one of the most common exploits seen “in the wild.”  It takes advantage of a memory corruption vulnerability in Microsoft Office products.  This allows attackers to extract sensitive and private information from the victim’s device.  If successful, an attacker could steal proprietary information from the publishing company.  They would also be able to commit impersonation attacks with insider information

[1]https://www.virustotal.com/gui/file/b4e3429f04f74136e68af4192b7eb367f0ae5f8eb2248e85745c2f42fd95fe8b/detection

[2]https://www.marinetraffic.com/en/ais/details/ships/shipid:364731/mmsi:305466000/imo:9436331/vessel:BBC_CONGO

[3]https://www.virustotal.com/gui/file/e2379588795908daa206b4529d68aec3959e109f27112189b724accc763a0a32/detection


Book a no-obligation Cyber Consultation

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.


The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign up for Cyber Threat Notifications