was successfully added to your cart.

Cart

Maritime Cyber Security & Threats May 2020 WeekTwo

The case for pre-emptive defence

Vessel Impersonation Report

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Tactical Cyber Intelligence Reporting

First SeenSubject Line UsedMalware DetectionsSending EmailTargets
May 9, 2020RE: MV TBN T e-PDATrojan:Win32/Occamy.CPatty Chao patty.choa@conveyortw.com.twinfo@safeguard-technology.com
May 9, 2020RE: HBL with vessel detailsTrojan:Win32/Wacatac.D!mla6878bf@a1a9d953106.net2a9bf3f6fd630@216345a965a.org
May 9, 2020VSL: ABALONE, QUOTATION: ABL-S205044A, VENDOR: JONGHAP MARITIME INCExploit:O97M/CVE-2017-11882.ARJ!MTB"Shenzhen Cloud Sailing Co., Ltd"sales01@cloudsailing.cninfo@gicom.nl
May 9, 2020DHL Global Forwarding (China) Co., Ltd. CARGO RECEIPT,\n INVOICE AVAILABILITY NOTIFICATION: 200507473Trojan:Win32/Wacatac.D!mlMandy Chau (DHL HK) mandy.chau@dhl.comutcnnd.365632@circa.at
May 11, 2020// SHIPMENT ADVISE // SEA SHIPMENT/28CTNS HB/L # DAC0024943 COB:\r\n 11-MAY-2020Trojan:Win32/Sonbokli.A!clAjit Lund dlr-a337@mst-dealer.comshidul@shashabd.com
May 11, 2020Notice of Arrival for MSC B/L :MEDUG3735396/MSC CARLA 3/HC009APWS:Win32/Fareit!MTBID547-MSC IDJKT IMPORT INVOICE sika@sandangasia.comTargets Not Disclosed
May 11, 2020RE: ADJUSTMENT // PRE ALERT AT INDONESIA \"NYK FUJI V.084S\" LCL TO JKT YGLNGO004466 // YIF-FW-19004159/Trojan:Win32/Skeeyah.A!rfnJakarta 608@50e66f1.com PT. YAMATO INDONESIA FORWARDINGcaf9@60a459f1d8.com
May 12, 2020RFQ - SEA FAITH - ANCHORTrojan:Win32/Wacatac.C!mlPurchase Dept 330b2@0d33f97931.gr9429d2922bef1e@2010546c.biz
May 12, 2020MV SEAVENUS-PDAExploit:O97M/CVE-2017-11882.LUmmer Ali 16fab0@67eccd1416.com9ed08@ad2796f954db1a.com
May 14, 2020RFQ For Supply of Container 5x40ft_0320Trojan:Win32/Wacatac.C!mlSabrina Yong intern_engg@eternalexposure.com.mymink@medinet.or.kr
May 14, 2020RE: M/T ALPHA MARINE - No.2 Cargo Pump Elec. Motor OverhaulTrojan:Win32/Occamy.AA"JINSAN MARINE MANAGEMENT CO.,LTD" engine@jinsankorea.co.krTargets Not Disclosed

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.  This week we observed a large percentage of these malicious emails attempting to deliver Windows password stealing trojan malware.    Some of the new vessel names used this week include “SEA FAITH” and “MSC CARLA,” among others.

Analysts observed another malicious email containing the subject line “// SHIPMENT ADVISE // SEA SHIPMENT/28CTNS HB/L # DAC0024943 COB: 11-MAY-2020.” The email is disguised as a bill of lading for an unnamed shipment from the Seahorse Ship Agencies PVT. LTD.  In this case the email appears to have been sent from a dealership portal instead of being sent through a standard email client such as Outlook or Apple Mail.

The sender “Ajit Lund” is sending the message from “mst-dealer.com” but signs the message body with a logo from the Seahorse Ship Agencies PVT. LTD. Company.  Also, mail[.]mst-dealer[.]com appears to be a login portal with a Mazda logo on the main page.  The email message is generic enough to be used as a template and does not appear to name a particular ship or shipment.

The email recipient in this case is “shidul@shashabd.com.” The domain shasha[.]com is registered to Shasha Denims LTD. in Bangladesh.  There is one marketing executive identified with the first name of Shidul, but it is unclear if this is the same employee being targeted in this email.

The malicious email attachment filename is “ETA_BILL_OF_LADING.gz” indicating the file is a .gzip filetype.  Upon opening the file, the victim would activate Trojan:Win32/Sonbokli.A!cl malware.[1]  This variant of malware uses Microsoft Powershell to download a malicious .otf file from a malicious command and control server.

Analysts observed another malicious email containing the subject line used last week, “RE: M/T ALPHA MARINE – No.2 Cargo Pump Elec. Motor Overhaul.” The email was sent from “JINSAN MARINE MANAGEMENT CO., LTD.” JINSAN Marine Management claims to be one of the world’s top twenty marine suppliers and engine parts sales agents of Hyundai Engine and Marine Machinery since 2010.[2]

The sending domain does indeed appear to be registered to JINSAN Marine, so it is unclear if the account has been taken over by bad actors to spread malware, or if the sender is knowingly sending malware.  It is common for attackers to spread malware by impersonating a victim from a previous cyber-attack.  Although the recipients are undisclosed, analysts believe with medium confidence that the parties being targeted have some financial/business investment in the Motor Tanker (M/T) Alpha Marine.

The email contains a malicious .xlsx Excel spreadsheet attachment labeled “EPDA – MT ALPHA MARINE.xlsx.”  The attachment contains Trojan:Win32/Occamy.AA malware which can be used to exfiltrate and steal sensitive data from the victim’s machine.[3]  This malware can also be used to remotely install/activate ransomware.

[1]https://www.virustotal.com/gui/file/8702d08022d4bb641c6f1d6bd9dc15070db89b11f6f8b5afe13ae1f6fbb1157f/detection

[2] https://www.shipserv.com/supplier/profile/s/jin-san-marine-management-co-ltd-53347?publicTnid=53347

[3]https://www.virustotal.com/gui/file/844c007e86ad929a1829296710210c58d469dcd9735b6a87094f9185109c5d65/detection

Our Experts Say

Dryad Assessment

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Global Dryad

Weekly Maritime Watchlist

Top 5 Malicious Maritime Subject Lines

Subject Line usedEmail Sender using Subject LineTimes seen
Re: OceanBridge ShipnDocs_#0520*HBL+CIPL+HAWBOcean Bridge Logistics freight@oceanbridge.com9
OUR NEW ORDER PROFORMA INVOICE. No 255 Dt"Alex Come" commerce@synergies-arc.com6
CONSIGNMENT NOTICE// NGBKHI20010274 2X20GP//TNT#KTW 886114/2020TNT Cargo || Jakarta Branch jplawfirm@jurnalisponto.co.id5
NEW BOOKING INVOICE & PACKING ARRIVAL SHIPMENT NOTICEMaersk Line Container Logistics
Supply Chain Services contact@roiboslimited.com
5
Shipping Document (CI & PL)"PT. COSCO SHIPPING LINES" rendra@indosecuritysystem.com5

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign Up to Cyber Threats Notifications

Leave a Reply