Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.
"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Malicious Email collection 14-17 Sep 2020
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
Oct 12, 2020 |
[VOYAGE ORDER] MT QIU CHI VQIC19/20 // ETA 10-12 SEP // PDA |
Trojan:Win32/Lokibot.AR!MTB |
Nur Maizatul (CPP_L C/PETCO) <nurmaizatulnadia.mus@petronas.com> |
kraeber.de |
Oct 12, 2020 |
MV ORIENT GLORY -REQUEST OF CTM OF USD 46,000 |
TrojanDownloader:O97M/Emotet.CSK!MTB |
"kjs@kyungjinshipping.com" <accounts@skissancare.com> |
kraeber.de |
Oct 12, 2020 |
{Disarmed} Re: DHL Shipment Arrival Notification |
Exploit:O97M/CVE-2017-11882.EE!MTB |
"DHL GLOBAL SERVICES" <noreply@marketvaluerates.live> |
marketvaluerates.live |
Oct 12, 2020 |
RE: Pending Invoice payment (COSCO CN) |
Trojan:Win32/CryptInject!ml |
"COSCO Shipping Co., Ltd." <f3385@54d2cfd135.id> |
Targets Not Disclosed |
Oct 13, 2020 |
Request for freight quotation for 50K Fertilizers |
Trojan.Win32.VEBZENPAK.USMANJC20 |
Soraya Maidee (ms.) <266dbf49@71154818e.com>, 9d9@694bc.info |
71154818e.com |
Oct 13, 2020 |
LAVENDISH - ADIYAT MARKETING - Contract No : 1253/2020 - >First shipment - MAERSK |
Exploit:O97M/CVE-2017-11882.AT!MTB |
"Simon Schlegel" <SimonSchlegel54@outloo.com> |
omniquad.com |
Oct 13, 2020 |
Re: MAERSK LINE BL&CL |
Trojan:Win32/Wacatac.C!ml |
Maersk Line<Davis.niel@msklogistics.com> |
bushdistributors.com |
Oct 13, 2020 |
New LCL Shipment From Ningbo To port Said Consignee; Tarek Abd El Moneam |
Exploit:O97M/CVE-2017-11882.JR!MTB |
"FAN Forwarding Agency /FC" <MA230-Docs-Export@msc.com> |
omniquad.com |
Oct 14, 2020 |
Order Sheet and FCL Vs LCL |
Trojan:MSIL/CryptInject.PB!MTB |
zakaria@memcorpjo.com |
foo.woas.net |
Oct 14, 2020 |
New Order Confirmation : Rfq: //TOP URGENT// Quote for Rio de Janeiro Ports/Terminals -Brazil |
HEUR:Trojan.Script.Generic |
"Kyaw Than Tint" <solidarnosc@tvksmp.pl> |
silloptics.de |
Oct 15, 2020 |
Re: Pre-alert - : Sea freight cost from Yantian to 91505, USA - 1x20\'\r\n container PO# 624703 HB/L - SZLAX2009041 |
W32.HfsVibisi. |
Ben Stevens <stevensb@sbaglobal.com<mailto:stevensb@sbaglobal.com>> |
hk.mrspedag.com |
Oct 15, 2020 |
Re: Pre-alert - : Air/ Sea - freight cost from Taiwan to US PO#\r\n 624679 HB/L - TWLGB2010014 |
W32.HfsVibisi. |
Michael Simerly <msimerly.slc@sbaglobal.com> |
hk.mrspedag.com, sbaglobal.com, us.mrspedag.com
|
Top 5 Malicious Senders
Sender |
Malware Sent |
crosstrade-request@hk.mrspedag.com |
W32.HfsVibisi. |
shital25680@gmail.com |
Trojan:Win32/CryptInject!ml |
nitin@nityanand.com |
Trojan:Win32/CryptInject!ml |
crosstrade@hk.mrspedag.com |
W32.HfsVibisi. |
millezaa@sbaglobal.com |
W32.HfsVibisi. |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Orient Glory” and “MT Qiu Chi” among others.
Analysts observed malicious subject line “LAVENDISH - ADIYAT MARKETING - Contract No : 1253/2020 - >First shipment - MAERSK” used this week. As with many malicious maritime emails, the sender is disguising the malware as a bill of lading draft which needs to be reviewed by the target. The email in this case leverages a few different techniques to entice a user to open the email.
The email subject line contains a contract number to imply that the email recipient is currently doing business with the sender. They also use a widely known company name “Maersk” to help build trust with the target. Once the target opens the email they may notice a few indicators that the email is malicious. The first, is the “GOOD DAY” generic greeting. Attackers often use these malicious emails as spam templates which can be sent to multiple targets to increase the infection success rate.
In the message body, the sender asks the recipient to open the attached “draft bl” (draft bill of lading) within 48 hours. This creates a minor sense of urgency for the recipient to open the attachment. The attacker then states that if changes are not submitted in time, there will be a “correction fee,” which increases the sense of urgency for the target. At the bottom of the email is a signature listing an email, phone, and physical address for the sender, without mentioning any name. It should also be noted that the attacker is sending from “outloo[.]com,” a likely typosquat of “outlook[.]com” to make the email appear more legitimate.
If the target were to open the attachment despite the suspicious aspects of the email, they would open the attached “BEX2020.xlsx” file which contains Exploit:O97M/CVE-2017-11882.AT!MTB malware. This malware exploits CVE-2017-11882 which continues to be one of the most common exploits observed in the wild. Attackers who successfully exploit this vulnerability have the ability to remotely run commands on a victim machine and cause significant damage.
Analysts observed two other malicious emails this week, sent from one employee email address at Global Logistics Services. An email sender identifying themselves as an International Logistics Agent for the company was seen sending two malicious emails. Each contained W32.HfsVibisi. malware, and was sent to multiple recipients. Notably the malicious email sender stated they were having technical difficulties with their emails not getting through to recipients.
This is another example of how employees are sometimes unwitting actors in the spread of malware across a company network. The fact that some of the email recipients work for different companies indicates that this could also be an example of a supply chain attack.
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
These analysis results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to: