Vulnerability Assessment
    Security Audits 
      Maritime Cyber Security
        12 min read

        Maritime Cyber Security & Threats Nov 2020 Week 3


        Featured Image

        Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.

        "Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

        Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

        Cyber Featured Image TwitterWith our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

        The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

        Sign up for Cyber Threat Notifications

        Malicious Email collection 14 - 21 Nov 2020

         First Seen

        Subject Line Used

        Malware Detections

        Sending Email

        Targets

        Nov 16, 2020

        REQUIRED FREIGHT INVOICE MEDUMG020289 339712677

        HEUR:Exploit.MSOffice.CVE-2017-0199.a

        Rupith Shoby <359dabdfa048f4e@e42.com>

        703f400124f8d6b.com

        Nov 16, 2020

        Sea Arrival notice BL : SANTSSWK20100001 S/-JF 2000133

        Trojan:Win32/Wacatac.C!ml

        Maersk Customer Service <cindy.lu@maersk.com>

        maersk.com

        Nov 16, 2020

        Port agency appointment by Cargow shipping agency,

        HEUR:Exploit.MSOffice.Generic

        CARGOW SHIPPING <f05fe0@925d84.COM>

        c0034.com

        Nov 16, 2020

        EPDA & PORT INFO REQUEST MV TBN

        Exploit:O97M/CVE-2017-11882.ARJ!MTB

        M/V PLATIN SHIPPING.<f7235a61f@3ae52877e0.net>

        2ad411a201.com

        Nov 16, 2020

        MV. MIREILLE SELMER - 31500 mt Rice Calling

        Exploit:O97M/CVE-2017-11882.ARJ!MTB

        “Nicola Dallaporta.”

        <caf9@e6320a50a99f434.com>

        a694174ef.com

        Nov 16, 2020

        Cargo AIRLINES CSR 2ND FN Nov-2020

        Backdoor:Win32/Bladabindi!ml

        "Ashish Jain" <office@nhaiderbd.com>

        electroputere.ro

        Nov 16, 2020

        PORT INFO/ EPDA REQUEST

        Exploit:O97M/CVE-2017-11882.ARJ!MTB

        PANOCEAN (CHINA) CO.,LTD 泛洋(中国)有限公司<086583829@b397aaeb.com>

        963212c1fc.com

        Nov 16, 2020

        MV SBI   ACHILLES

        Exploit:O97M/CVE-2017-11882.ARJ!MTB

        SPIMARINE CO, LTD <ef0bc5585ee@89f3236ac.com>

        a694174ef.com

        Nov 16, 2020

        MV WILTON (VOY 32 ) AGENCY NOMINATION FOR DISCHARGING ABOUT 55,

        Exploit:O97M/CVE-2017-11882.ARJ!MTB

        GAC <32cf86405957@dec.com>

        c2634.net

        Nov 17, 2020

        New Quotation ATB-PR28/500/KINH

        Exploit:O97M/CVE-2017-11882.JR!MTB

        Nguyen Minh Dung <info@milkywayzs.xyz>

        milkywayzs.xyz

        Nov 17, 2020

        Fwd: FW: MV \"CORAL EMERALD\" -voy TBN -Proforma Payment

        HEUR:Trojan-PSW.MSIL.Stelega.gen

        "Bobsin, Tim" <tim.bobsin@oldendorff.com>

        Targets Not Disclosed

        Nov 17, 2020

        RE: RE: LCL! General Chemicals Shipment DDP Inquiry // Payment problem

        Trojan:Win32/Woreflint.A!cl

        mia@e-baojie.com <mia@e-baojie.com>

        electroputere.ro

        Nov 17, 2020

        Longstanding Container(s) : 204103842

        Trojan:MSIL/AgentTesla.AL!MTB

        Maersk Customer Service <cindy.lu@maersk.com>

        maersk.com

        Nov 17, 2020

        RE: Offer Cooperation | Exw Jurong Port

        Backdoor:WinNT/Knockex!rfn

        Serena Kum Lai <sales.lubricant@nabelsakha.com>

        Targets Not Dislosed

        Nov 17, 2020

        RFQ - New Order 2x20\' container of Ruglue Cans 400gr

        Exploit:O97M/CVE-2017-11882.BK!MTB

        Sunny Park <sale2@probity.com.vn>

        Targets Not Disclosed

        Nov 18, 2020

        MAERSK LINE - World\'s shipping leader....

        Trojan:Win32/Wacatac.C!ml

        Maersk <docs@maersk.com>

        ywlee@kangrim.com

        Nov 18, 2020

        MV Sea Proteus/Cargill CP DD 14th Dec 2020 - NEXT HIRE

        Trojan:Win32/Glupteba!ml

        "Ace Chartering Corp." <2f8a6bf@eeea9530de1a3.com>

        a694174ef.com

        Nov 18, 2020

        Re: MV AGIA DOXA / Annaba Pre arrival docs

        MSOffice/Agent.CF44!tr

        <huaweishun@cmhk.com>

        Targets Not Disclosed

        Nov 19, 2020

        MV Artemis / Shanghai / Disc Wheat - Agency Appointment

        HEUR:Exploit.MSOffice.CVE-2017-0199.a

        "Shenzhen Shenjian Shipping Agency Co.,Ltd" <ops@szhenjian.com>

        Targets Not Disclosed

        Nov 19, 2020

        WG: MV   GRAN LOBO V.008//Request For EPDA and Liner Expenses

        HEUR:Exploit.MSOffice.CVE-2017-0199.a

        "Hochheim, Jens" <Jens.Hochheim@peiner-smag.com>

        smag.de

        Nov 20, 2020

        Dangjin / Cigading - Freight inquiry

        Trojan:Win32/Wacatac.C!ml

        "Johnsong" <e72b@c3eba6e71120.com>

        c3eba6e71120.com

         



        Top 5 Malicious Senders

        Sender

        Malware Sent

        talia.vnhph@beelogistics.com

        HEUR:Exploit.MSOffice.CVE-2017-0199.a

        cindy.lu@maersk.com

        Trojan:Win32/Woreflint.A!cl, Trojan:Win32/Guloader.SS!MTB, Trojan:MSIL/AgentTesla.AL!MTB, Trojan:Win32/Wacatac.C!ml

        info@mascotpumps.com

        Exploit:O97M/CVE-2017-11882.AT!MTB, Trojan:MSIL/Stealer.J!MTB

        lw@seacarrier.net

        Trojan:Win32/Woreflint.A!cl

        docs@maersk.com

        HEUR:Trojan-PSW.MSIL.Agensla.gen

        In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Coral Emerald” and “MV Wilton” among others.

        Analysts observed malicious subject line, “MAERSK LINE - World\'s shipping leader.....” used this week. This email leverages a few techniques to get the targeted users to open the malicious attachments.

        The malicious email sender identifies herself as Marilyn Foster of the Shipping & Logistics Dept. of Maersk Line Asia. However, the sending email “docs[at]maersk[.]com” is not listed anywhere according to open source information. The email is generic enough to be used as a template to send to multiple recipients. Although the email is supposedly sent from a Maersk domain, the reply-to email address is jp.intl555[at]gmail[.]com. This email was seen sending other malicious emails (with Korean subject lines) last October.

        The message body of the email has a few different components that can help identify it as illegitimate. The first is the “Dear Shipment Owner” greeting which is generic and can address thousands of companies in the maritime sector. The font is different sizes throughout the email as well which is unusual. Last, the signature does not contain any contact information and shows an image of a Maersk ship that was most likely pulled from open source.

        The malicious attachment in this case is a disc image file titled “Maersk Original Doc 101.img.” A .img file is essentially a virtual copy of a disk, CD, or DVD. These image files contain a malicious executable which, when mounted, can activate spyware on the victim host and steal sensitive information. The image in this instance contains HEUR:Trojan-PSW.MSIL.Agensla.gen malware. This malware has the ability to steal sensitive credentials from the victim host, and specifically targets FTP and browser credentials.

        These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.


        Book a no-obligation Cyber Consultation

        Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

        Pre-empt, don't just defend

        Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.


        The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

        It is imperative to:

        • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
        • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
        • Provide practical guidance on how to look for a potential phishing attempt.
        • Use direct communication to verify emails and supply chain email communication.
        • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

        Sign up for Cyber Threat Notifications