was successfully added to your cart.

Cart

Maritime Cyber Security & Threats March 2020 Week Four

The case for pre-emptive defence

Vessel Impersonation Report

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Tactical Cyber Intelligence Reporting

First SeenSubject Line UsedMalware DetectionsSending EmailTargets
Mar 27, 2020O.T.E.R. GRUP SRL PURCHASE ORDER (PO - 105085) // 1st 20\" FCL - 60MT\r\n CIF ANTEWARP PORTTrojan:Win32/Wacatac.D!mlotergrup.ro@tripwire.redcondor.nettripwire@tripwire.redcondor.net
Mar 30, 2020Maersk New Shipping schedule details due to COVID-19- ShipmentTrojan:Win32/Bluteal!rfnsales@infintetradeltd.comroyal@royal-spindles.com.tw
Mar 30, 2020FW: sailing scheudle for order no.: 1092991 (JB#082)Trojan:Win32/Sonbokli.A!clBRATISLAV.BLAGOJEVIC@ELNOSGROUP.COMict@elnosgroup.com
Mar 31, 2020FW: LCL for S/ LIVING (YINGDE) C/ GEFU PO#517544 FOB SHENZHEN TO\r\n HAMBURGMalware.W2000M/Agent.64559503elke.witteck@hartrodt.com"'Bickenbach, Carina'" C.Bickenbach@gefu.com
Mar 31, 2020COVID-19 SUSPECTED CREW /VESSELExploit:O97M/CVE-2017-8570!rfnWorld health org83d7e90b92af65b0b@066.int96a6a@cf787.in
Mar 31, 2020Port agency appointment by Fairfield Chemical Carriers BV, FAIRCHEM STEED/ 219152Exploit:O97M/Vigorf.ADA-Desk Mail System bfc@c105918.com94f0a4d8b@c2634.net
Mar 31, 2020Fw: Maersk INVOICE&BLTrojan:Script/Casur.A!cl"ecos office (Schueco)" schueco@ecos-office.comFStrenger@schueco.com
Apr 1, 2020RE: SHIPMENT VESSEL DELAY LETTER - (Coronavirus Crisis Lock down)Exploit:O97M/CVE-2017-0199.HD!MTBhenry@gm-trust.comTargets not disclosed
Apr 1, 2020RE: VESSEL HIRE MV THOR MADOC // BEIJING O/AcTrojan:Win32/Wacatac.C!ml"Capt. Thinakorn Kesornsiri
Chartering Manager"13254f26d8c6a2e68@07520.com
Targets not disclosed
Apr 3, 2020Re: RE: A8219 pt3 LCL PO# 3244502Trojan:Win32/Wacatac.C!mlKrimi - Sales 4901e@eddf0c6a.come7007bb2b@a20ccf53babe3e.com
Apr 3, 2020[WARNING - ENCRYPTED ATTACHMENT NOT VIRUS SCANNED] RE: MT OCEAN\r\n CHEMIST / V.2004B / DUE SINGAPORE OR EXTENSION RESPONSIBILITY, MALAYSIA FOR\r\n LOADING - AGENT APPOINTMENTTrojan:Win32/Tiggre!rfn"Capt.Anurag Sharma" operation@mahanadimaritime.comTargets not disclosed
Apr 3, 2020VESSEL DELAY LETTER (Coronavirus Lock down)Trojan:Win32/Tiggre!rfn“TOTAL MARINE” ops@totalmarine.co.krTargets not disclosed

In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.   This week we observed a large percentage of these malicious emails attempting to deliver Windows trojan malware.  Some of the new Vessel names used this week include “MV THOR MADOC” which and we see “MT Ocean Chemist” again this week among others.

An email was observed attempting to impersonate a “Maersk” employee using a subject line of “Maersk New Shipping schedule details due to COVID-19- Shipment notification.” The sender includes “Maersk” and “COVID-19” in the subject line to trigger the recipient to believe the message is urgent and related to the current CoronaVirus Pandemic.

Analysis reveals that the malicious email was sent from an illegitimate domain – infintetradeltd[.]com.  The text content of the website infintetradeltd[.]com is “codermails[.]in, Bulk Automated Mailing Server Installer codermails[.]in Bulk Emailing Made Easy!” which further indicates its illegitimacy.  Impersonating Maersk is a common tactic and Red Sky Alliance has seen a significant increase in malicious emails related to the current COVID-19 Pandemic.

The target of the malicious email belongs to Royal Precision Tools Corporation in Taiwan.  This company generates “spindle designs born of technical expertise.” Due to the fact that the company is located right outside of China, they are likely to open an email pertaining to COVID-19.

The message contains an attached .ace file identified by Microsoft AntiVirus engine as the Trojan:Win32/Bluteal!rfn malware.[1] It executes commands from a remote malicious user, effectively compromising the affected system.[2]  The email message states that the sender will be cancelling a shipment, but then tells the recipient to check the attached filed to advise if the sender should proceed.

This week Red Sky Alliance sees multiple emails attempting to leverage COVID-19 (CoronaVirus Disease 2019) using the subject lines containing terms related to the Pandemic, specifically in the maritime industry.  Since January 2020 , analysts have observed emails referencing COVID-19 to entice users to open the emails urgently. Many companies are sending out announcements regarding the outbreak which acts as camouflage for attackers.   Another reason users open these emails is because many people are expecting to receive an email from one of its vendors/customers regarding COVID-19.

In another malicious email, with subject line “COVID-19 SUSPECTED CREW /VESSEL.” analysts see the World Health Organization being leveraged to spread malware. Although the message body is redacted, there are two malicious attachments.  One is an MS Word document and the other is and MS Excel spreadsheet. Both were detected as malicious by AntiVirus software.  The sender and recipient email addresses are shown as alias’ but otherwise appear legitimate.

The attached MS Word filename is the exact same as the subject line listed above (COVID-19 SUSPECTED CREW /VESSEL.doc).  Microsoft AV indicates both of the malicious attachments exploit CVE-2017-11882.  Malware of this family consists of a .doc or .docx document containing a script that can be run in Microsoft Word (Visual Basic for Applications). Interestingly, the Word document shuts down Windows defender, but the Excel spreadsheet is detected and quarantined immediately.

 

[1]https://www.virustotal.com/gui/file/b406b46ef1fe6483c30101d2de8905abb5cea100c83a99c815048fae2fa27e79/detection

[2] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BACKDOOR.WIN32.REMCOS.TICOGBZ

Our Experts Say

Dryad Assessment

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Global Dryad

Weekly Maritime Watchlist

Top 5 Malicious Maritime Subject Lines

Subject Line usedEmail Sender using Subject LineTimes seen
FW: LCL for S/ LIVING (YINGDE) C/ GEFU PO#517544 FOB SHENZHEN TO\"DE/HAM Witteck, Elke\" elke.witteck@hartrodt.com5
VESSEL DELAY LETTER (Coronavirus Lock down)elke.witteck@hartrodt.com5
RE: PRO-FORMA INVOICE 0089Jack Brannigan jack.brannigan@zfautomotive.co.uk5
Maersk New Shipping schedule details due to COVID-19- Shipment notificationMaersk DELAY- Shipment notification sales@infintetradeltd.com4
FW: sailing scheudle for order no.: 1092991 (JB#082)Bratislav Blagojevic bratislav.blagojevic@elnosgroup.com4

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign Up to Cyber Threats Notifications

Join the discussion One Comment

Leave a Reply