Vulnerability Assessment
    Security Audits 
      Maritime Cyber Security
        15 min read

        Maritime Cyber Security & Threats Nov 2020 Week 1


        Featured Image

        Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.

        "Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

        Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

        Cyber Featured Image TwitterWith our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

        The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

        Sign up for Cyber Threat Notifications

        Malicious Email collection 31 Oct- 6 Nov 2020

         First Seen

        Subject Line Used

        Malware Detections

        Sending Email

        Targets

        Oct 31, 2020

        Cargo Arrival Notice: BL No COSU6271832430

        Trojan:JS/Phish.RVD!MTB

        "Maersk" <arrival@maersk.com>

        automationit.com

        Oct 31, 2020

        Request for Quotation : [RFQ} MV NYK#574499000

        Exploit:O97M/CVE-2017-0199.BK!MTB

        "Anna(Ms) / Assistant manager Business Management Team David E C"

        <business@hmmco.co.kr>

        Targets Not Disclosed

        Oct 31, 2020

        RE: HHMR - SAILING REPORT KAN VOY.022W

        HEUR:Trojan.MSOffice.SAgent.gen

        “Hyundai Mars” <alberto.pena@tya.com.mx>

        hmm21.com

        Nov 1, 2020

        Re: Buoyancy Marine Ref:QN-03507-20 INVITATION TO QUOTE

        Exploit:O97M/CVE-2017-0199.RBS!MTB

        “Roger Ng” <roger.ng@spectromatrix.com.sg>

        Targets Not Disclosed

        Nov 2, 2020

        MV ATHIRI VOY   87 EPDA AND PORT   INFO REQUEST

        VBS/Agent.RHB!tr.dldr

        “DA” <62dcbef34b@e5fa59af818d8a.com>

        93964e15ac1716.net

        Nov 2, 2020

        EPDA & PORT INFO MV WINTERSUMMER.

        Exploit:O97M/CVE-2017-11882.RX!MTB

        “operations selim shipping” <f7235a61f@5817e8ef3bcde.com>

        30718da8.eg

        Nov 2, 2020

        MV Vectis Osprey / Douala / PDA request & agency appointment

        Trojan:Win32/Wacatac.C!ml

        "Nono_Makina”

        <0888b698@35028b77fac611.tr>

        Targets Not Disclosed

        Nov 2, 2020

        CONTAINER INVOICE, BILL OF LADING & PACKING LIST

        Trojan:HTML/Phish.LL!MTB

        "1e6a24e1c6@679.com"<1e6a24e1c6@679.com>

        Targets Not Disclosed

        Nov 3, 2020

        Re: REQUEST FOR QUOTATION//MV FORTUNE TRADER

        HEUR:Exploit.MSOffice.CVE-2017-0199.a

        Nguyen Quang <ops@vosavungtau.com>

        Targets Not Disclosed

        Nov 3, 2020

        MV CSC CHANG HAI V2011 AGENT APPOINTMENT AT HONGKONG FOR SIGN B/L

        Trojan:Win32/Fuery.C!cl

        "YANGTZE NAVIGATION (HONGKONG) CO., LIMITED"<d9090c6@9395.com>

        a694174ef.com

        Nov 3, 2020

        AGENT APPOINTMENT--MT. AQUAMARINE V2020 LOADING GASOIL 5000PPM/600KB +/- 5% IN PORT OF YOSU DURING LAYCAN 05-09 NOV 2020.

        Backdoor:MSIL/NanoBot.AQ!MTB

        "JNJ Shipping" <jgj@jnjshipping.co.kr>

        jnjshipping.co.kr

        Nov 3, 2020

        EPDA & PORT INFO REQUEST   FOR LOADING ABT 60,325 MTNS OF UREA

        Exploit:O97M/CVE-2017-8570.DR!MTB

        PLATIN SHIPPING<operation@platinship.net>

        swnav.com.tw

        Nov 3, 2020

        MV Ince Point - Inquiry 338-2020-SP0053-B(01)

        Trojan:Win32/Wacatac.C!ml

        "Pacific Basin Shipping (HK) Limited" <gabin@pacificbasin.com>

        pacificbasin.com

        Nov 4, 2020

        PO 14704 - MEL - 20\' TC Reefer / Sailing Schedule

        Trojan:MSIL/Stealer.DR!MTB

        Mehti Sarakham <sales@materialworld.co.th>

        materialworld.co.th

        Nov 4, 2020

        MV SEA DRAGON I

        HEUR:Exploit.MSOffice.CVE-2017-0199.a

        "SKY PACIFIC SERVICE CO., LTD" <wati@navitas.co.id>

        Targets Not Disclosed

        Nov 5, 2020

        MV EFFICIENCY OL PARTS INQUIRY(EFF-20-EP-09G)

        Trojan:MSIL/FormBook.FH!MTB

        "OceanLance / Joanna Chen" <marines@oceanlance.com.tw>

        oceanlance.com.tw

        Nov 5, 2020

        EPDA & PORT INFO MV ASIA PEARL 54

        Exploit:O97M/CVE-2017-8570.CVE!MTB

        “HONG GLORY SHIPPING CO., LTD - 达航运有限公司 <ee99@ffdb705d8.com>

        230ffc87.com

        Nov 5, 2020

        M/V \"YASAR KEMAL\" DISCHARGING PORT PROFORMA D/A

        Exploit:O97M/CVE-2017-8570.CVE!MTB

        STATU SHIPPING <caf9@0b76e827f2288.com>

        a694174ef.com

        Nov 5, 2020

        subjects-links, #pagetype_hp .container-inner .col-right > .column-section =

        Suspicious IFrame-b

        <Saved by Blink>

        Snapshot-Content-Location: https://www.wysokieobcasy.pl/wysokie-obcasy/7,163229,23449538,marta-lempart.html disableRedirects=true

        Targets Not Disclosed

        Nov 6, 2020

        PORT AGENCY APPOINTMENT

        Trojan:Win32/Wacatac.C!ml

        "YANGTZE NAVIGATION (HONGKONG) CO.,LIMITED"

        Targets Not Disclosed

         



        Top 5 Malicious Senders

        Sender

        Malware Sent

        geoffb@automationit.com

        Trojan:JS/Phish.RN!MTB, Trojan:JS/Phish.RVD!MTB

        samard@glowbaloutlets.com.lb

        HEUR:Exploit.MSOffice.CVE-2017-0199.a, Trojan-Downloader.MSWord.Agent.buh

        wati@navitas.co.id

        HEUR:Exploit.MSOffice.CVE-2017-0199.a

        messages@aps.org

        TrojanDropper:JS/Zlader.H

        groupsupdates@yahoogroups.com

        TrojanDropper:JS/Zlader.H

        In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Arthiri” and “Sea Dragon I” among others.

        Analysts observed malicious subject line, “EPDA & PORT INFO REQUEST FOR LOADING ABT 60,325 MTNS OF UREA” used this week. This same subject line was observed in last week’s malicious email subject lines. While this email is more detailed than many malicious emails, there are few indications that the email is unsafe.

        The email is sent by “’Platin Shipping’ operation[at]platinship[.]net” to another email address owned by Platin Shipping. Notably, the attackers are impersonating one of the founders of the company when sending the email – Nora Germen. This is likely an attempt to leverage this employee’s authority to entice other employees to open the malicious email attachment.

        Although the email is sent from a platinship[.]net email address, the reply-to email address is “operations[at]swnav[.]com[.]tw.” It is likely that attackers are doing this to spread the malicious attachment to other maritime companies, but analysts are unable to determine the exact reason for the difference in the reply-to/sending addresses.

        Attackers in this case are trying to exploit two different vulnerabilities on the victim host. First, the attackers attached a Word document, “COVID 19 CREW MEMBERS UPDATE.doc” which contains Exploit:O97M/CVE-2017-8570.DR!MTB malware. This is a remote code execution vulnerability caused due to the way that MS Office handles objects in memory.

        Next, attackers attached a malicious Excel file, “VSL PARTICULARS.xlsm.” Notice the “m” at the end of the file extension.  This is an XLS Excel spreadsheet, but the “m” extension means that macros are enabled by default. When opened, this would activate Exploit:O97M/CVE-2017-11882.ARJ!MTB malware on the victim host. This is also a MS Office memory corruption vulnerability.

        These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

        These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.


        Book a no-obligation Cyber Consultation

        These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

        Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

        Pre-empt, don't just defend

        Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.


        The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

        It is imperative to:

        • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
        • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
        • Provide practical guidance on how to look for a potential phishing attempt.
        • Use direct communication to verify emails and supply chain email communication.
        • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

        Sign up for Cyber Threat Notifications