was successfully added to your cart.

Cart

Maritime Cyber Security & Threats May 2020 Week Three

The case for pre-emptive defence

Vessel Impersonation Report

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Tactical Cyber Intelligence Reporting

First SeenSubject Line UsedMalware DetectionsSending EmailTargets
May 18, 2020RE: MT OCEAN CHEMIST / V.2004B / DUE SINGAPORE OR TANGJUNG PELEPAS,\r\n MALAYSIA FOR LOADING - AGENT APPOINTMENTTrojan:Win32/Wacatac.C!ml"Platinum Marine Bunker Co. Ltd." caf9@3cabc1a5e50699.comTargets Not Disclosed
May 18, 2020FW: Damaged Cargo: MV. SEASPAN CHIWAN - BL. LHV2217356 (IV35) / IVORY\n COAST- JLB 3/4133/20.Trojan:Win32/Wacatac.C!mlJLB MARSEILLE marseille@jlbexpertises.comTargets Not Disclosed
May 19, 2020RFQ/ORDER #2020518 FROM China Merchants Port Holdings Co.LtdTrojan:Win32/Wacatac.C!mlIlPFq24gRMOpbcOtbmcgKOWtq+W+t+aYjiki = 2617c938@9395.comdc1fad@ed6405.com
May 19, 2020MAERSK LINE SHIPMENT DOCUMENTTrojan:Win32/Occamy.AAMAERSK LINE customerservice@maerskline.commaersk docs@maerskline.com
May 19, 2020CARGO ARRIVAL NOTICE-Express BL: 200101092/0102Trojan:Win32/Wacatac.C!mlea9cf7e4@063.comf9a2f19c0@2960e43e0cabf1.com
May 20, 2020FW: MT Pavino / Load Port PD/A Crude Benzene + Bunker RequestTrojan:Script/Wacatac.C!mlSun Xu Qing sxq@ismships.comTargets Not Disclosed
May 20, 2020RE: ADJUSTMENT // PRE ALERT AT INDONESIA \"NYK FUJI V.084S\" LCL TO JKT YGLNGO004466 // YIF-FW-19004159/PWS:Win32/Fareit.A!MTBPT. YAMATO INDONESIA FORWARDING Jakarta 608@50e66f1.com401f51d9@93964e15ac1716.net
May 20, 2020M/V Ocean Adventure - Fittings for Rescue Boat RepairHEUR:Exploit.MSOffice.Genericli beast3x@eliteomar.comhans.hoobroeckx@fujitrading.nl
May 20, 2020Cash to Master - MV GOLDEN PEARLHEUR:Exploit.MSOffice.GenericTAT SING INTERNATIONAL LOGISTICS tech.support@caturdaya.co.idTargets Not Disclosed
May 20, 2020Confidentiality Agreement Request : Structural Steel Materials /\r\n PE-105 / Dalma Gas Development Project / Package A (Offshore) / ADNOCHEUR_RTFMALFORMCarol Ramirez f84ecf4a@297f44245189.uyTargets Not Disclosed
May 20, 2020Your Shipment has arrived - MaerskTrojan:Win32/Occamy.C"Maersk Notification service@maerskline.com" waino@tammynpeterson.usTargets Not Disclosed
May 21, 2020Payment for invoice #34689- 05x40\'HC Container Aqaba - WWS/Trojan:Win32/Wacatac.C!mlInna Reznik caf9@53d92cbd.com2949ed21949a867@726bfbd.com
May 21, 2020COSCO SHIPPING LINES - 7223942580 - Document Shipping Instruction/BLTrojan:Win32/Pwsteal.Q!bitCOSCO SHANGHAI SHIP MANAGEMENT CO., LTD e35015@0ea263.com07@7c696244.gr
May 21, 2020Amended P.O 28602 / Hebei OceanHEUR:Backdoor.Win32.Androm.gen"Hebei Ocean Shipping Agency Ltd." agencqhd@hoscoagency.comTargets Not Disclosed
May 21, 2020DHL Global Forwarding (China) Co., Ltd. CARGO RECEIPTTrojan:Win32/Wacatac.C!mlDHL Express WorldwideTargets Not Disclosed
May 22, 2020RE: REQUEST FOR QUOTATION - M.V. OMNI TIGRIS DRY DOCKINGTrojan:Win32/Sonbokli.A!clSHAIFFUL RIDZUAN shaifful.ridzuan@bnsy.com.myTargets Not Disclosed

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.  This week we observed a wide variety of maritime-related subject lines.    Some of the new vessel names used this week include “MT Pavino” and “MV GOLDEN PEARL” among others.

Analysts observed subject line “M/V Ocean Adventure – Fittings for Rescue Boat Repair” being used in a malicious email this week.  The malware contained in this email is one of the most common pieces of malware observed by analysts across all industries.

The email sender is listed as “li <beast3x@eliteomar.com>.” The sending email address does not appear to be registered to any legitimate company, and the domain (eliteomar[.]com) is listed on a defacement website indicating that the webhost was hacked by an Indonesian hacking team – “Indonesian Cyber Jawa”.  The email signature shows the sender’s name is “Kelvin Li” and lists two maritime companies – ATN Marine and Trading Co., LTD & ARC Marine Services Co.,LTD.  Notably, the mailing address listed in his signature is not registered to either company.  A more legitimate email li@atn.com.cn is listed in the signature as well so it is unclear why this user would be sending emails from the “beast3x@eliteomar.com” address.

The targeted recipient of this email is an International Technical Marine Sales agent for Fuji Trading (Marine) B.V. which is a “world leader in marine supply” located in The Netherlands.[1]  There is no clear connection between Fuji Trading (Marine) B.V. and ATN or ARC Marine.  Hans’ email does not appear to be listed publicly anywhere online.

The malware in this email is contained in a malicious .doc attachment titled “103 SWIFT 13-05-20.doc.” When opened, the victim would activate HEUR:Exploit.MSOffice.Generic malware.[2]  This malware exploits a MS Office memory corruption vulnerability (CVE-2017-11882), often downloading a malicious file disguised as an audio driver (%Application Data%\audiodrvrdll.exe).[3]

Analysts observed another malicious email containing the subject line used last week, “Amended P.O 28602 / Hebei Ocean.”  The email was sent from “Hebei Ocean Shipping Agency Ltd.<agencqhd@hoscoagency.com>.

The sender email domain appears to be registered to the Hebei Ocean Shipping Agency domain “hoscoagency.com.  As there is no company website.  Analysts are unable to verify the legitimacy of the sending domain but have low confidence that the domain is in fact owned by the shipping agency.  The sending email address was associated with a separate malicious email posted on a spam-email website and does not appear to be a deliverable email address.[4]

The targets were not disclosed in this email making it difficult to conclude the attackers intentions, but the malicious file attachment:
“PURCHASE ORDER 28602.gz” contains HEUR:Backdoor.Win32.Androm.gen” malware.[5]  The file contains backdoor malware which makes registry and file changes to gain a foothold on the victim’s device.  Kaspersky claims that approximately 25% of this malware’s victims are in either Germany or Russia.

These analytical results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

[1] https://fujitrading.nl/about-us/

[2]https://www.virustotal.com/gui/file/c94e3e1dbe7a6f889a1b0194af37b10d7e164cf6262ba0030c2a7422d46f4573/detection

[3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_cve201711882.uhaobgx

[4] https://brendinghat.com/2020/04/21/account-rererepayment-advise-103-tt-usd-8145-2/

[5] “HEUR:Backdoor.Win32.Androm.gen”

Our Experts Say

Dryad Assessment

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Global Dryad

Weekly Maritime Watchlist

Top 5 Malicious Maritime Subject Lines

Subject Line usedEmail Sender using Subject LineTimes seen
Re: MT Pavino / Load Port PD/A Crude Benzene + Bunker RequestSun Xu Qing sxq@ismships.com16
Your Shipment has arrived - Maersk\"Maersk Notification service@maerskline.com\" waino@tammynpeterson.us7
RE: MT OCEAN CHEMIST / V.2004B / DUE SINGAPORE OR TANGJUNG PELEPAS,\r\n MALAYSIA FOR LOADING - AGENT APPOINTMENT\"Platinum Marine Bunker Co. Ltd.\" caf9@3cabc1a5e50699.com6
Amended P.O 28602 / Hebei Ocean\"Hebei Ocean Shipping Agency Ltd.\" agencqhd@hoscoagency.com5
FW: Damaged Cargo: MV. SEASPAN CHIWAN - BL. LHV2217356 (IV35) / IVORYJLB MARSEILLE marseille@jlbexpertises.com5

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Sign Up to Cyber Threats Notifications

Leave a Reply