Maritime Risk Intelligence Blog

Maritime Cyber Security & Threats Sep 2020 Week Two

Written by Dryad Global | September 19, 2020 at 3:39 PM

Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted attacks within the maritime sector.

"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."

Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Malicious Email collection 29 Aug-5 Sep 2020

 First Seen

Subject Line Used

Malware Detections

Sending Email

Targets

Sep 05, 2020

Re: Scan Report MV. Federal Bristol Disch SMOP at. Padang, Indonesia

Trojan:Win32/Wacatac.C!ml

"Rizal Afrianto" <c7ce14@04acff12871882f7.jp>

b4bd8b7c1f5a.com

Sep 05, 2020

MV OCEAN LEADER / DEPARTURE REPORT AT BINTULU PORT

TrojanDownloader:O97M/Emotet.RKC!MTB

"oceanleader@sea-one.com" <asad.khan@a-plus.tv>

kwship.com

Sep 07, 2020

Re: Shipping note (34x20\') continers MV-PRESIDIO V-039E        

HEUR:Trojan-Downloader.MSOffice.SLoad.ge

KITO@posta.agenziarighetti.it,

LOGISTICS@posta.agenziarighetti.it (TIANJIN),

"CO."@posta.agenziarighetti.it, LTD@posta.agenziarighetti.it,

" <info@pacifichotels.it>"@posta.agenziarighetti.it

posta.agenziarighetti.it

Sep 08, 2020

MAERSK LINE BL#NBFCL2020875

Exploit:O97M/CVE-2017-11882.G!MTB

MAERSK SHIPPING CUSTOMER CARE <a6a04a5c2a9@fd8e08.com>

 

95cb8d9130.com

Sep 09, 2020

PO-1214 (5 pcs Stainless Steel Container)

Mal/DrodZp-A

Fennie Lau <a46e6ef26181e@bdb424.com>

bbbd1678d71a16b00.com

Sep 09, 2020

RE : RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 //\r\n MAERSK KLEVEN V.949E // CLGQOE191781 //

MSOffice/CVE_2017_0199.A!exploit

"A.P. Moller - Maersk" <14709c9@fd8e08.com>

Targets Not Disclosed

Sep 09, 2020

RE : INQUIRY FOR PROJECT CARGO FROM QINZHOU TO PORT KLANG

Trojan:Win32/Wacatac.C!ml

"Gallop Project" <projects@gallop-international.com>

gallop-international.com

I

Top 5 Malicious Senders

Sender

Malware Sent

akbar@wiramitraprima.com

Exploit:O97M/CVE-2017-0199.YN!MTB

satinalma@selkur.com.tr

Exploit:O97M/CVE-2017-11882.AT!MTB

projects@gallop-international.com

Trojan:Win32/Wacatac.C!ml

export3@zanon.it

Exploit:O97M/CVE-2017-11882.PDD!MTB, Trojan:Win32/Wacatac.DD!ml

customerservices302@china-freight.com

Trojan:MSIL/AgentTesla.PBQ!MTB

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV. Federal Bristol” among others. Analysts observed bad actors leveraging “Maersk Kleven” in malicious email subject lines again. Actors last used this vessel name in a malicious email subject line in July 2020. Over the past year, this vessel has been observed in over a dozen malicious email subject lines. The sender commonly uses the "’A.P. Moller – Maersk’ <noreply[at]Maersk[.]com>" email address to trick the users into thinking they are receiving a legitimate email from the shipping giant Maersk.

Analysts observed the malicious subject line “Re: Shipping note (34x20\') continers MV-PRESIDIO V-039E” being used this week. There is a spelling error in the subject line indicating the sender does not use English as their native language. Other than the subject line, the email looks relatively normal and could even be viewed as legitimate by some unsuspecting recipients.

The sender uses a generic “Good day” greeting which indicates this email could be used as a template to target multiple recipients. The sender identifies himself/herself as Zhuang Qi of KITO (Tianjin) Logistics Co., Ltd which is a shipping logistics company based in China. The sending email addresses indicate that the attacker is using the Righetti Agency web marketing & communications agency for email hosting services. An attacker using this platform to send out mass volumes of malicious emails are less likely to get trapped in a webmail filter than a traditional Gmail, Outlook, or Hotmail address.

The reply-to email address used “chukisa22[at]gmail[.]com” has been seen committing fraud against other business but does not appear to be associated with any legitimate companies. It has been identified as malicious by numerous sources. In one case, a Safari company out of Kampala, Uganda claimed that this attacker hacked their company and impersonated them in order to trick the company’s customers into giving the attacker money.

The message body of the email is relatively professional looking. Without the typo in the subject line, many users would not find this email to be abnormal. However, the message says to find the attached “CI, PL, Draft HBL, Draft COO & Draft Insurance…” All of these documents are supposedly contained within one single file which is mildly suspicious when combined with other indicators. When the user downloads and attempts to open the attached file “9110472.xla” they would notice the file doesn’t actually opens and after it’s opened, the malware deletes the original file from the folder as an evasion technique. The user would receive an error stating “…we couldn’t find 9110472.xla. Is it possible it was moved, renamed, or deleted?”

The malware contained within the attachment is HEUR:Trojan-Downloader.MSOffice.SLoad.gen which is a generic trojan detection for these types of malicious MS Office attachments. An attacker who is successful would have access to steal sensitive and personal information from the target. Attackers tend to target those with escalated computer or administrative privileges at a company.

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don't just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.