14 min read
Maritime Cyber Security & Threats Sep 2020 Week Four
By: Dryad Global on September 29, 2020 at 4:50 PM
Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted attacks within the maritime sector. Here we also examine the recent attack on CMA CGM.
"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Malicious Email collection 14-17 Sep 2020
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
Sep 21, 2020 |
Arrival Notice of B/L SURRENER#MEDUMH113885 on Maersk received |
Trojan:Script/Wacatac.B!ml |
"Maersk Line" <orSdr7nDWxhaPGJfjJks@orSdr7nDWxhaPGJfjJks.linux.com> |
suolennebi.it |
Sep 21, 2020 |
RE : RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E // CLGQOE191781 // |
Trojan:Win32/Woreflint.A!cl |
hashemi <ops.ir@mcha-shipping.com> |
htsec.com |
Sep 21, 2020 |
[PR259 BIO-MEG] OIL AND MARINE / RFQ / Toyo Engineering & Construction Sdn. Bhd |
Trojan:Win32/Ymacco.AA90 |
nmw_ikram <nmw.ikram@toyo-eng.com> |
Targets Not Disclosed |
Sep 21, 2020 |
FW: Arrival Notice of B/L SURRENER#MEDUMH113885 on Maersk received |
Trojan:PHP/Phish!rfn |
"Adrian Rausche (PDI)" <ARausche@pile.com> |
pile.com |
Sep 21, 2020 |
RE: Port Stephens Websites |
TrojanDownloader:O97M/Emotet!rfn |
dcfa871@b155602562ec5.vn |
23ea7b2fa21fcc984b7adcc0.au |
Sep 21, 2020 |
RE:Mineral Noble 047 port report at Fujairah(20th and 21st Sep) |
HEUR.ExecInMail |
"MINERAL NOBLE" <mineralnoble@networkship.com> |
cmb.be |
Sep 22, 2020 |
[PR259 BIO-MEG] OIL AND MARINE / RFQ / Toyo Engineering &\r\n Construction Sdn. Bhd |
Trojan:Win32/Ymacco.AA90 |
nmw_ikram <nmw.ikram@toyo-eng.com> |
Targets Not Disclosed |
Sep 22, 2020 |
Cargo inq - MEG 13000mt / Daesan to Dalian. |
Trojan:MSIL/Stealer.RS!MTB |
"SM Shipping/SJ Lim" <sml@smshipping.com> |
smshipping.com |
Sep 22, 2020 |
FW: CARGO ARRIVAL NOTICE // SHIPPING DOCUMENTS |
Trojan:Win32/Ymacco.AA1F |
docs@magitest.me |
energotransbank.com |
Sep 22, 2020 |
Fwd: Port Stephens Websites |
TrojanDownloader:O97M/Emotet.CSK!MTB |
2ddb09e@98e0b417.tokyo |
23ea7b2fa21fcc984b7adcc0.au |
Sep 23, 2020 |
MT BLUE SKY 1 AGENCY APPOINTMENT FOR LOADING FULL CARGO (ABOUT 38, |
Trojan:Win32/Bluteal!rfn |
"Henk Turenhout" <h_turenhout@ace-tankers.com> |
ace-tankers.com |
Sep 23, 2020 |
MAERSK LINE BL#NBFCL20062345 |
Exploit:O97M/CVE-2017-11882.PDD!MTB |
MAERSK SHIPPING CUSTOMER CARE <glbconsalsd@maersk.com> |
most.cn |
Sep 23, 2020 |
Fw: Re: FRFQ CARGO CONTAINER 6X6X8 |
Trojan:Win32/MereTam.A |
Lisa Emily <charlesmaherr@grps.org> |
electroputere.ro |
Sep 23, 2020 |
Fw: Re: FRFQ CARGO CONTAINER 6X6X8 |
Trojan:Win32/MereTam.A |
Lisa Emily <charlesmaherr@grps.org> |
electroputere.ro |
Sep 23, 2020 |
Fw: Re: FRFQ CARGO CONTAINER 6X6X8 |
Trojan:Win32/MereTam.A |
Lisa Emily <charlesmaherr@grps.org> |
electroputere.ro |
Sep 23, 2020 |
Fw: Re: FRFQ CARGO CONTAINER 6X6X8 |
Trojan:Win32/MereTam.A |
Lisa Emily <charlesmaherr@grps.org> |
electroputere.ro |
Sep 23, 2020 |
Fw: Re: FRFQ CARGO CONTAINER 6X6X8 |
Trojan:Win32/MereTam.A |
Lisa Emily <charlesmaherr@grps.org> |
electroputere.ro |
Sep 23, 2020 |
MV YARRAWONGA: RFQ Stores |
Trojan:MSIL/Stealer.RS!MTB |
"MPI - Katrina Cuadra" <operations@misugaphil.com.ph> |
misugaphil.com.ph |
Sep 23, 2020 |
Aw: new Mediterranean antlion |
TrojanDownloader:O97M/Emotet.CSK!MTB |
"Davide Badano" <ivan@medequipltd.com> |
cirad.fr |
Sep 23, 2020 |
Re: new Mediterranean antlion |
TrojanDownloader:O97M/Emotet.CSK!MTB |
"Davide Badano" <info@wellcomestar.com> |
cirad.fr |
Top 5 Malicious Senders
Sender |
Malware Sent |
Lisa Emily <charlesmaherr@grps.org> |
Trojan:Win32/Woreflint.A!cl |
\"Adrian Rausche (PDI)\" <ARausche@pile.com> |
Trojan:Script/Wacatac.C!ml, Trojan:Script/Wacatac.B!ml, HTML/PhishMaersk.E!tr |
Maersk Line Notification <notice@maersk.com> \r |
HTML/PhishMaersk.E!tr |
\"\'Mark Foster\'\" <cordoba@cooper2010.es> |
TrojanDownloader:O97M/Obfuse!MTB |
nmw_ikram <nmw.ikram@toyo-eng.com> |
Trojan:Win32/Ymacco.AA90, Trojan:Win32/Woreflint.A!cl |
Figure 3 - Marine Traffic results for MT Blue Sky 1 |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MT Blue Sky” and “MV YARRAWONGA” among others. Analysts observed bad actors continuing to leverage “Maersk Kleven” in malicious email subject this week. Beginning in February 2020, analysts saw threat actors using this vessel name as part of their subject lines. Using the following sender emails, attackers have leveraged this vessel to spread malware targeting multiple unique recipients:
- “Hashemi” <ops.ir@mcha-shipping.com>
- \"A.P. Moller - Maersk.(Shanghai, Head Office)\" nooreply@maersk.com
- P. Moller - Maersk (Shanghai, Head Office) <eb6bceca@fd8e08.com>
- \"A.P. Moller - Maersk\" <nooreply@maersk.com>
- \"A.P. Moller - Maersk\" <14709c9@fd8e08.com>
- \"A.P. Moller - Maersk\" <f5fbf089377@1cb9beb999.com>
- \"Azil bin Salleh(LCTC Information Technology Services)\" <azils@lotte.net>
- \"Babel Markus (Gechter GmbH)\" <Markus.Babel@gechter.com>
Red Sky Alliance will continue to monitor this vessel name and identify the malicious activity associated with it. Analysts observed the malicious subject line “Fw: Re: FRFQ CARGO CONTAINER 6X6X8” being used this week. Notably, this subject line was sent from the same sender to multiple unique recipients. Typically, attackers will CC others on malicious emails or add them to the list of recipients in a single email. However, this attacker sent an individual email to each recipient.
The email address using this subject line to send malware is “Lisa Emily” <charlesmaherr@grps.org>. This email address is currently used by the principal of Sibley Elementary, based in Grand Rapids, Michigan. This user’s email does not appear in breach data so at this time, it appears that threat actors are spoofing the email instead of using an account which has been successfully taken over. The alias in this case is “Lisa Emily” however, there have been multiple aliases used with that email address. The following names have also been used as an alias with this email address:
- Maichele Suzan
- Anny Jesse
- Eng Tan Jessmine
The senders use multiple unique subject lines (not all maritime related) and appear to target Electroputere employees. Electroputere is one of the largest industrial companies in Romania. It is unclear why these specific employees are being targeted or what positions they hold at the company.
The attackers are attaching malware to the emails in the form of malicious zip files using unique file names. The zip files contain Trojan:Win32/MereTam.A malware which has the ability to create a backdoor on a target system to download other malware, including but not limited to ransomware. This malware also has the ability to stop scheduled scanning by Microsoft Windows Defender which helps the malware evade detection.
In other maritime news this morning, the shipping giant CMA CGM was hit by a major cyber attack which disrupted daily operations for the company. According to Lloyd’s of London Intelligence sources, several of the company’s Chinese offices were affected by Ragnar Locker ransomware.[1] CMA CGM initially claimed that their booking system was disabled by an internal IT issue, but later confirmed “external access to CMA CGM IT applications are currently unavailable” after the ransomware attack.
Last week Red Sky Alliance analysts identified CMA CGM’s name being used as part of a malicious email using the subject line “RE: CMA CGM CHRISTOPHE COLOMB – Bridge” (TR-20-265-001_Vessel_Impersonation). This email contained a malicious attachment containing TrojanDownloader:O97M/Emotet.CSK!MTB malware. This malware is typically used to steal sensitive information from a victim’s network but can also be used to download other malware including, but not limited, to ransomware.
Analysts have determined that this email was not part of this specific attack, but malicious emails often play a critical role in activating malware on a company’s network. That particular email had a “redacted” message body which would force many unwitting recipients into opening the attachment out of curiosity.
Attackers often use ransomware to earn a profit, however Ragnar has taken their attacks a step further. If a company is able to restore their data from backups and avoid paying the ransom, attackers will expose sensitive information online which was stolen as part of the ransomware attack. This attack would make CMA CGM the fourth major container shipping carrier known to have fallen victim to such a major cyber incident.
[1] https://lloydslist.maritimeintelligence.informa.com/LL1134044/CMA-CGM-confirms-ransomware-attack
These analysis results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Pre-empt, don't just defend
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
Related Posts
Maritime Cyber Security & Threats January 2021..
Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime..
Maritime Cyber Security & Threats Sep 2020 Week..
Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted..
Maritime Cyber Security & Threats Feb -March 2021
Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime..