was successfully added to your cart.

Cart

Maritime Cyber Security & Threats May 2020 Week Four

The case for pre-emptive defence

Vessel Impersonation Report

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Tactical Cyber Intelligence Reporting

First SeenSubject Line UsedMalware DetectionsSending EmailTargets
May 22, 2020RE: REQUEST FOR QUOTATION - M.V. OMNI TIGRIS DRY DOCKINGTrojan:Win32/Sonbokli.A!cl“SHAIFFUL RIDZUAN” shaifful.ridzuan@bnsy.com.myTargets Not Disclosed
May 24, 2020RE: ADJUSTMENT // PRE ALERT AT INDONESIA \"NYK FUJI V.084S\" LCL TO JKT YGLNGO004466 // YIF-FW-19004159/PWS:Win32/Fareit.A!MTBPT. YAMATO INDONESIA FORWARDING Jakarta 608@50e66f1.comcaf9@e841f89026c8.com
May 25, 2020RE: REQUEST FOR QUOTATION - M.V. OMNI TIGRIS TRADERHEUR:Exploit.MSOffice.CVE-2017-0199.aTRAN QUANG guw_std5@a-c-s.kzTargets Not Disclosed
May 25, 2020MV WAF PASSION / CALLING FOR DISCHARGINGTrojan:Win32/Wacatac.C!ml"Maersk (Shanghai, Head Office)" a6a04a5c2a9@fd8e08.comTargets Not Disclosed
May 25, 2020MV. BRAVE SAILOR (V.1801) - AGENT NOMINATION at BUSAN (Bunkering Only)Trojan:Win32/Wacatac.C!ml"Five Ocean - Ops" ops@fiveocean.co.kr“Me” ops@fiveocean.co.kr
May 25, 2020Ports Daily Port Position on 25.05.2020Trojan:Win32/Wacatac.C!ml"Aye Myint" zinkoko.aung@benline.com.mm“Me” zinkoko.aung@benline.com.mm
May 25, 2020RE: VSL: MV ANGEL SPIRIT, ORDER: AHOC-A77180011EHEUR:Exploit.MSOffice.GenericNguyen Quang vosa.vungtau@vosagroup.comTargets Not Disclosed
May 26, 2020Documents for the Sea shipment(MATZ MAERSK / 017W , ETA:31/May)Trojan:Win32/Wacatac.C!ml68d6@4d9b528a6e33a5.kr9ed08@dcc762b7ba3.uk
May 27, 2020Mv Arkadiy Chernyshev/Calling for disch logs 8000cbmsTrojan:Win32/Wacatac.C!ml"HOSCO AGENCY(YMS)" agencyqhd@hoscogroup.com“Me” agencyqhd@hoscogroup.com
May 27, 2020Fw: RE : M.V ARCTURUS - ARC/SPR/024-20HEUR:Exploit.MSOffice.Generic"BULKSEAS MARINE MANAGEMENT S.A." fciascuixart@xarxafarma.comTargets Not Disclosed
May 27, 2020PRIORITY/MT SULPHUR GENESIS - CREW CHANGE/PDA MAYMalicious_Behavior.SB"Belarusian River Shipping Company" Info@export.byRecipients Info@export.by
May 27, 2020PO 337052/DRAFT DOCUMENTS FOR THE FIRST CONTAINER AGREEMENTPWS:Win32/Fareit.W!MTB"EXPORT-SALES7015b30becad229@4ca324.mzEXPORT-SALES7015b30becad229@4ca324.mz
May 27, 2020RE : URGENT!!! SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949EHEUR:Exploit.MSOffice.Generic"A.P. Moller - Maersk.(Shanghai, Head Office)" nooreply@maersk.comTargets Not Disclosed
May 28, 2020Fw: RE: Vessel: KSL SAPPORO / Requisition No.: 20R-0114-1 / SupplierTrojan:Win32/Wacatac.C!ml"Kwon, J-H" 613c3214@d8b31b9ec9.com2ecf2c20@d8b31b9ec9.com
May 28, 2020WG: COSCON - Proforma Bill of Lading for COSU6263268050/Vessel: CMA\r\n CGM VOLGA SVVD: AEM3-QZG-025 E Shipper Ref: RTEUpdatedHEUR:Exploit.MSOffice.CVE-2017-0199.aIT Support itsupport@incoe.deIT Request IT-Request@incoe.de
May 28, 2020VSL: M/V TRANSATLANTIC, ORDER: TDR-AA20052HEUR:Exploit.MSOffice.Genericshipping@comfort.com.twmis@comfort.com.tw
May 28, 2020Freight invoice for paymentHEUR:Exploit.MSOffice.GenericKerry_=E2=80=93_Apex_Shipping = events@parapharmako.grTargets Not Disclosed
May 28, 2020RE: ADJUSTMENT // PRE ALERT AT LCL TO JKT \"YGLNGO004466\" //\n YIF-FW-19004159//Trojan:Win32/FormBook.CJ!MTBRaymond kane haritiat@indocorp.comMicrosoft Office office@microsoft.com
May 28, 2020 May 28, 2020Notice of Arrival for MSC B/L :MEDUG3735396/MSC CARLA 3/HC009APWS:Win32/Fareit.Y!MTBID547-MSC IDJKT IMPORT INVOICE ID547-id.systemautomail@msc.comTargets Not Disclosed
May 28, 2020RFQ for Vessel: GLENDA MELANIE/Ship Ref: GME-E-17-0094PWS:Win32/VB.CU"Patrick Jeong / Ops Dept" b490@e1200e5bb1efc3ad5.comRecipients b490@e1200e5bb1efc3ad5.com
May 29, 2020RE: COSCON - Proforma Bill of Lading for COSU6263268050/Vessel: CMAHEUR:Exploit.MSOffice.CVE-2017-0199.a"guanlin/Guan Lin(GSC-WH)" guanlin@coscon.comTargets Not Disclosed
May 30, 2020Maersk : Arrival Notice ready for Bill of Lading 910571890.DOC/TrojanDownloader.Agent.BMWMaersk Notification service@maerskline.comTargets Not Disclosed
May 30, 2020MV TBN // INQUIRY FOR JIANG YIN PORT FOR DISCHARGING 30,Trojan:Win32/Vigorf.A"Kostas Mathes" opr@atlanticpalaemon.comKostas Mathes opr@atlanticpalaemon.com

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.  This week we observed a wide variety of maritime-related subject lines.    Some of the new vessel names used this week include “MV Angel Spirit” and “M.V. OMNI TIGRIS” among others.  Interestingly, “M.V. OMNI TIGRIS” was used it two unique subject lines this week (see table above).  This vessel is an offshore supply ship sailing under flag of Malaysia.[1]

Also, notable this week is the large number of emails where the recipient email address was not disclosed or was the same as the sender email address.  Another subject line was observed using the vessel name “MAERSK KLEVEN” this week.  This vessel has been listed in subject lines over the last several months.  Analysts are unable to determine, at this time, why this vessel name is so popular among subject lines but will continue to monitor it.  The vessel is currently flying under the Liberian flag and is a Hazard A (major) cargo ship.

Analysts observed subject line “Documents for the Sea shipment(MATZ MAERSK / 017W , ETA:31/May)” being used in a malicious email this week.  Although the header information is slightly obscured, analysts determined that it is being sent from a Korean company to a company based in the United Kingdom.

The email sender is listed as “68d6@4d9b528a6e33a5.kr” which is an email alias given by the sending email server.  However, the .kr top-level domain indicates the sender is likely based in Korea.  The email message signature also indicates that the sender (J.Yun) is from Woohyun Shipping Co. LTD. based out of Seoul, South Korea.

Due to the use of an email alias, the exact recipient email address is unclear, but this email message appears relatively generic.  Using a generic and common greeting “Dear sirs,” this short email could easily be used as a malicious email template to send to numerous recipients.

The malicious file attached to this email is named “matzmaersk.zip” and contains Trojan:Win32/Wacatac.C!ml malware.[2]  This malware is capable of stealing sensitive data from victim devices, and exfiltrate it to a command and control infrastructure.  When downloaded, the zip file does not remain in the designated folder further indicating malicious activity.

Analysts observed another malicious email containing the subject line used last week, “MV WAF PASSION / CALLING  FOR DISCHARGING.” The email was sent from “’Maersk (Shanghai, Head Office)’ <a6a04a5c2a9@fd8e08.com>”. “WAF Passion” does not appear to be an active name for any vessel on marinetraffic.org, however, there are vessels that have used the name in the past.[3]

The sender email appears as the head office for Shanghai Maersk operations, which indicates the email is likely targeting someone in the Maersk supply chain.  The recipients are not disclosed in this case so analysts believe this with medium confidence.

As with the recipients, the message body has also been redacted in this case.  However, the filename reveals that the attackers were disguising the file as a “PDF.” The filename is “MV WAF PASSION -500121_pdf.gz” which many common users would think is a PDF.  It is in fact a gzip file which, just like the previously discussed email, does not remain in the folder it is downloaded to.  When opened the file activates “Trojan:Win32/Wacatac.C!ml” malware which can be used to exfiltrate sensitive information from victim devices.  It can also be used by attackers to download malware and commit future cyber-attacks.

[1]https://www.marinetraffic.com/en/ais/details/ships/shipid:707458/mmsi:533041100/imo:9576686/vessel:OMNI_TIGRIS

[2]https://www.virustotal.com/gui/file/9cffa695927736df1e7770f4d432d215f28e05f257acb386e2c876a36f45b091/detection

[3] https://www.marinetraffic.com/en/ais/details/ships

Our Experts Say

Dryad Assessment

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Global Dryad

Weekly Maritime Watchlist

Top 5 Malicious Maritime Subject Lines

Subject Line usedEmail Sender using Subject LineTimes seen
Maersk : Arrival Notice ready for Bill of Lading 910571890.From sales@easylift.com8
Fw: RE: Vessel: KSL SAPPORO / Requisition No.: 20R-0114-1 / Supplier\"Kwon, J-H\" 613c3214@d8b31b9ec9.com7
RE: COSCON - Proforma Bill of Lading for COSU6263268050/Vessel: CMA\r\n CGM VOLGA SVVD: AEM3-QZG-025 E Shipper Ref: RTEUpdated\"guanlin/Guan Lin(GSC-WH)\" guanlin@coscon.com7
MV TBN // INQUIRY FOR JIANG YIN PORT FOR DISCHARGING 30,"Kostas Mathes" opr@atlanticpalaemon.com6
VOYAGE INSTRUCTION / AGENCY APPOINTMENT FOR CRANE NOVA V20-14\"CRANE NOVA\" cranenova@marine-onair.net6

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign Up to Cyber Threats Notifications

Leave a Reply