was successfully added to your cart.

Cart

Maritime Cyber Security & Threats Jun 2020 Week Three

The case for pre-emptive defence

Vessel Impersonation Report

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Tactical Cyber Intelligence Reporting

First SeenSubject Line UsedMalware DetectionsSending EmailTargets
Jun 13, 2020FW: MV Premier - Spare Parts Request 11.06.2020Exploit:O97M/CVE-2017-11882!MTB“Bayu-Dwi PUJI-WIDODO” bayu-dwi.puji-widodo@phm.pertamina.com“EP-ID-IST SECURITY” ep-id-ist.security@phm.pertamina.com
Jun 13, 2020CONTAINER FOR YOUR GOODSTrojan:HTML/Phish.JK!MTB"1e6a24e1c6@679.com"1e6a24e1c6@679.comTargets Not Disclosed
Jun 15, 2020RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 // MAERSK\r\n KLEVEN V.949E // CLGQOE191781 //HEUR:Exploit.MSOffice.Generic"A.P. Moller - Maersk" tacdmk4@transaircargo.comTargets Not Disclosed
Jun 15, 2020Re: Request for Quotation - MV EVIAPETROL V TRADERTrojan:Win32/Wacatac.C!ml"CHLOE LI" sales@moton-electric.comRecipients sales@moton-electric.com
Jun 16, 2020***SPAM*** Maersk Line : Arrival NoticeProbably Heur.HTMLUnescapeautonotificationimports@Maersk.comhung.ttq@msv.com.vn
Jun 16, 2020M/V ASPL TBN / PDA ENQUIRYExploit:O97M/CVE-2017-8570.JB!MTB“PLATIN SHIPPING TRADING CO. / ISTANBUL” f7235a61f@3ae52877e0.nete84@963212c1fc.com
Jun 16, 2020MV ASPL TBN / PDA INQUIRYExploit:O97M/CVE-2017-8570.JB!MTBPLATIN SHIPPING TRADING CO. / ISTANBULf7235a61f@3ae52877e0.net7f9d3@30718da8.eg
Jun 16, 2020MV CHINALAND TBN AGENCY NORMINATIONExploit:O97M/CVE-2017-8570.JB!MTB"CHINALAND SHIPPING"e84@a7a9430ca6031bd7d.cncd6c@5d104289d17.za
Jun 16, 2020MV Sider Capri - PDAExploit:O97M/CVE-2017-8570.JB!MTB"INTERTRANS"f7235a61f@df67164c739.coTargets Not Disclosed
Jun 17, 2020RE: MV TBN - PORT INQUIRY FOR LOADING DAP IN BULKTrojan:Win32/Sonbokli.A!cl"INTER-OCEAN KOREA CO., LTD." interocean1@korea.comTargets Not Disclosed
Jun 17, 2020Port information - Discharge Rice in Jumbo bagsExploit:O97M/CVE-2017-11882.ARJ!MTBThoresen Shipping Singapore 44d92@23f8143a.com25df9@a694174ef.com
Jun 17, 2020Shipping documents for Cargo Down ( ETD SHA : 6/17, ETA JKT : 6/25)Trojan:Win32/FormBook.CR!MTBElla 33d5aa6b4@2f1c4.com65144a54@b93c9277eafd7.com
Jun 18, 2020Cargo is prepared for sending.TrojanDropper:O97M/Powdow.J!MTBserwis@loos.plap_invoice_kpg2@kirchhoff-automotive.com
Jun 18, 2020Quote # 5780 -LCL-AS/PO/- PR#61007114HEUR:Exploit.MSOffice.CVE-2017-0199.a"Jenny Rose V. Enerio" pcpd@scii.com.phinfo@camillebauer.com
Jun 18, 2020MV DS FAVOUR V.S20087-SHIP PARTICULARSTrojan:Win32/Wacatac.C!mlchartering@standardshipping.co.krme chartering@standardshipping.co.kr
Jun 18, 2020[Port Info - 38K] Kharis - Discharge about 50, 000mt of Clinker at Fangcheng, ChinaTrojan:Win32/Wacatac.C!mlYejin Park_KHARIS bulk01@kharis.co.krYejin Park_KHARIS bulk01@kharis.co.kr
Jun 18, 2020Re: Purchase Purse seiner. Tuna vesselTrojan:Win32/Sonbokli.A!clKim Chun Geuk cg.kim@skshipping.comTargets Not Disclosed
Jun 18, 2020Re: M.V. Su May/M.V. Yong May - inquiryTrojan:Win32/Obfuscator.TX!MTBSales Bogerd Martin HK a7430@291eaec221f3.hk25df9@a694174ef.com
Jun 18, 2020Fuji Trading(Marine) REQUEST FOR QUOTATIONTrojan:Win32/Wacatac.C!ml"Fuji Trading(Marine) B.V. Rotterdam" eugenia.vieru@fujitrading.nlTargets Not Disclosed
Jun 18, 2020RE: AW: TH MARTIN 2486 MV Grace Previous shipment Documents / Arrival\n NotifyTrojan:Win32/Occamy.C67"Mark E. Ocampo" import@tici.com.phTargets Not Disclosed
Jun 18, 2020MAERSK LINE PRE-NOTIFICATION ALERT DOC#HO8524501N00083Trojan.Win32.Crypt.akjhMAERSK LINE SERVICE xyz@globclpsa.cominfo@kraeber.de
Jun 19, 2020[External]MV TBN // EPDA AT QINZHOUTrojan.SpamMalware-RAR.Gen"ops@orientalpal.com" opr@orientalpal.comops/OPAL opr@orientalpal.com

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.  This week we observed a wide variety of maritime-related subject lines.    Some of the new vessel names used this week include “MV Sider Capri” and “MV Premier” among others. “Maersk Kleven” was used again this week. It is still unclear as to why this specific vessel is being leveraged in so many subject lines. The owners of the vessel appear to work closely with leading maritime financing banks and export credit agencies. Often targets like this are leveraged to attack others which they may provide services to, or other associated companies in the supply chain.

Analysts observed two similar subject lines “M/V ASPL TBN / PDA ENQUIRYand “M/V ASPL TBN / PDA INQUIRY” being used in two malicious emails this week. The sender email was the same for both emails, but the targeted email addresses were unique.  The difference in the word “inquiry” indicates that the attacker was likely targeting Canadian or American targets with the “inquiry” subject line and targeting victims in the United Kingdom with the “enquiry” subject line.

The above email messages were sent from, ““PLATIN SHIPPING TRADING CO. / ISTANBUL” <f7235a61f@3ae52877e0.net>.” Although an alias obscures the sending domain, the sending email is likely impersonating platinship[.]net which is the domain for Platin Shipping & Trading Co. LTD in Turkey.

The message body is redacted in both emails, so no additional context is provided.  However, the malicious attachments for both emails are the same.  The first is a “DOCX.doc” Word document and the second is “Q88.xlsm” Excel spreadsheet with macros enabled.   Both documents contain Exploit:O97M/CVE-2017-8570.JB!MTB malware.  When executed, the malware infects the victim device and deletes copies of itself to make analysis more difficult.  Intelligence gathered from previous Red Sky Alliance reporting indicates these victims have been targeted in the past with trojan downloader malware.[1]

Analysts observed another malicious email which appears to impersonate Systems Controls Instrumentations, Inc. (SCII).  The malicious email subject line used is “Quote # 5780 -LCL-AS/PO/- PR#61007114.” SCII is a specialized trading company located in the Philippines with over $2.2mil in “total turnover” in 2018.

The sending email pcpd@scii.com.ph” appears to be a valid email domain used by the company.  Also, the person associated with the sending email “Jenny Enerio” appears to be the In-House Sales Coordinator for SCII.  Although this specific user does not show up in Red Sky Alliance collections, there are other employees at the company with credentials listed in our Breach Data collections.

The signature in the email confirms the sender is impersonating Jenny Enerio, the In-House Sales Coordinator for the company.  The message body consists of an RFQ and asks for a re-sale price and lead-time for a list of attached items.  The fact that the message has no greeting makes it generic enough to send to multiple targets.

The recipient in the email is “info@camillebauer.com” which is listed publicly on a website for the Controller Area Network in Automation (CiA) group which is an international users and manufacturers group.  The group works to enhance and develop the CAN protocol and “promote the image of the CAN technology.”[2]  The group appears to have headquarters in Nuremberg, Germany.  Camille Bauer Metrawatt AG (which owns the target domain) appears to be a member of this group. The company provides system solutions for energy generation, distribution, and consumption.  These types of companies are often targeted for profit and trade secrets.

When the victim opens the attached spreadsheet named “RFQ_34234651.xlsx”, they are actually activating Exploit:O97M/CVE-2017-0199!MTB malware.[3]  This malware is one of the most common exploits seen in malicious emails.  It exploits a memory corruption vulnerability in Microsoft Office products.  This allows attackers to extract sensitive and private information from the victim’s device.  If successful, an attacker could cause this malware to spread to other user accounts that would likely have better access to sensitive/private information. For example, users who are part of the info@camillebauer.com email group may end up downloading the malware which would result in the attacker’s access to the network.

[1] https://redskyalliance.org/transportation/vessel-impersonation-08-18-2019

[2] https://www.can-cia.org/about-us/

[3]https://www.virustotal.com/gui/file/c241e93e03a9d89d8ff72361657bdcd47361a9ba664c698d1d13b5f75ab9fcbc/detection

Our Experts Say

Dryad Assessment

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Global Dryad

Weekly Maritime Watchlist

Top 5 Malicious Maritime Subject Lines

SenderMalware Sent
interocean1@korea.comTrojan:Win32/Sonbokli.A!cl
info@safeguard-technology.comExploit:O97M/CVE-2017-11882.PRB!MTB, Trojan:Script/Wacatac.C!ml, TrojanDownloader:O97M/Obfuse.HRA!MTB
support@hoffmanneitle.comHTML/Phishing.DOC!tr, Exploit:O97M/CVE-2017-11882!MTB, Trojan:Win32/DanaBot.AP!MTB
hung.ttq@msv.com.vnTrojan:Win32/Pwsteal.Q!bit, Trojan:Win32/Detplock, Probably Heur.HTMLUnescape
eugenia.vieru@fujitrading.nlTrojan:Win32/Wacatac.C!ml

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign Up to Cyber Threats Notifications

Leave a Reply