The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|Jan 7, 2020||REVISED Invoice for Lashing MV-RTE5T THORCO||MSOffice/CVE_2017_11882.C!exploit||Target not reported|
This week Red Sky Alliance observed vessel impersonation traffic attempting to deliver the MSOffice/CVE_2017_11882.C!exploit malware.
In the above collection we see a malicious actor attempting to use a vessel name to try and spoof companies in the maritime supply chain. However, no vessel with the name “MV-RTE5T THORCO” could be found in open sources. According to marinetraffic.com there are 111 vessels that begin with the word THORCO. Additionally, RTE5 is the name of a navigation aid in the Persian Gulf, northeast of the King Abdulaziz Seaport in Saudi Arabia. It is unknown why the attacker would use the name of a non-existent vessel. Perhaps a wordlist of vessel names was used to generate the subject line programmatically, like a form letter. Or, perhaps attackers are betting on the possibility that the recipient would not verify the vessel name is valid before opening the message and its attachment.
Analysis reveals that a malicious email was sent to an unreported target domain. The message contains the subject line “REVISED Invoice for Lashing MV-RTE5T THORCO” and an attachment identified by Fortinet as the MSOffice/CVE_2017_11882.C!exploit malware . This malware exploits flaws in a large range of Microsoft office products ranging from Microsoft Office 2007 to Microsoft Office 2016. In the past this malware has been used to deliver the ZBOT banking malware which steals on-line banking credentials.
The message draws attention to an attached invoice and requests a payment of $53,056.44 USD to cover container lashing costs. However, opening the attachment could trigger the attached malware to be installed3
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Senders
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.