The case for pre-emptive defence
Vessel Impersonation Report
Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Tactical Cyber Intelligence Reporting
| First Seen | Subject Line Used | Malware Detections | Sending Email | Targets |
|---|---|---|---|---|
| May 4, 2020 | Arrival Notice of B/L#MEDUMH151885 on Maersk received | JS/Phish.AB38!tr | "Maersk Line" [email protected] | [email protected] |
| May 5, 2020 | DHL PRE-ALERT NOTIFICATION: IDN-H-MOH // CIP-OCEAN | W32/Injector.ELTM!tr | [email protected] | Received [email protected] |
| May 6, 2020 | // SHIPMENT ADVISE // SEA SHIPMENT/28CTNS HB/L # DAC0024943 COB: 06-MAY-2020 | Trojan:Win32/Wacatac.C!ml | Yusen Logistics Group Ltd [email protected] | [email protected] |
| May 7, 2020 | PROFORMA REQUEST / MV SEA CHAMPION / Voy: 14508 / | HEUR:Exploit.MSOffice.Generic | "Dadaylilar Shipping Group" [email protected] | [email protected] |
| May 8, 2020 | RE: MV TBN T e-PDA | TrojanSpy:Win32/Swotter.A!bit | Patty Chao [email protected] | [email protected] |
| May 8, 2020 | PDA REQUEST LINER IN BASIS - MV COCO GYUN - LOADING | Exploit:O97M/CVE-2017-11882.ARJ!MTB | "Cunda Shipping Ltd" [email protected] | [email protected] |
| May 9, 2020 | RE: HBL with vessel details | Trojan:Win32/Wacatac.D!ml | [email protected] | [email protected] |
| May 9, 2020 | VSL: ABALONE, QUOTATION: ABL-S205044A, VENDOR: JONGHAP MARITIME INC | Exploit:O97M/CVE-2017-11882.ARJ!MTB | "Shenzhen Cloud Sailing Co., Ltd"[email protected] | [email protected] |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a large percentage of these malicious emails attempting to deliver Windows trojan malware. Some of the new vessel names used this week include “MV COCO GYUN” and “MV SEA CHAMPION” again this week, among others.
Analysts observed another malicious email containing the subject line used last week, “VSL: ABALONE, QUOTATION: ABL-S205044A, VENDOR: JONGHAP MARITIME INC.” The email was sent from a “sales” email belonging to Shenzhen Cloud Sailing Company out of China. Notably the reply-to email address was one different from the sender and in this case was a Gmail account ([email protected]).
The target of this email was an email address belonging to GICOM, a Dutch computing systems company. The email address that was targeted in this case was publicly available on their “Contact Us” page. There is no clear connection between GICOM, and the vessel mentioned in the email – MV Abalone.
The malicious email attachment was an .xlsm file which is an Excel file with macros enabled. This is a common filetype sent by attackers. The filename appears to be the same as the requisition number mentioned in the email text. It contains Exploit:O97M/CVE-2017-11882.ARJ!MTB[1].
CVE-2017-11882 is a remote code execution vulnerability which exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run code as the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, further emphasizing the implementation of the zero-trust principle.[2]
In a separate malicious email, with subject line “RE: MV TBN T e-PDA” analysts observed attackers impersonating someone named ‘Patty Chao’ at Conveyor, a Taiwanese shipping logistics company. The name associated with the email address is Patty “Chao,” however, the email address is “patty.choa.” Notice the difference in the spelling of the last name.
Again here, we see a generic greeting “Dear sirs,” which is commonly used by attackers as templates for other malicious email campaigns. Because there is nothing about a specific ship/company in the message body, it could easily be copied for use in other emails. The email sender also provides a different email in the email signature ([email protected]) than that listed as the sender address ([email protected]).
The email attachment references a ship that is still to be named (MV TBN) which means the attachment can be reused in other malicious emails as well. The attached file is a .arj file which is an old archived file. The filename includes the phrase “Docx” to trick the target into thinking they are opening a .docx Word file.
What’s actually being activated is the backdoor trojan identified as TrojanSpy:Win32/Swotter.A!bit malware[1]. This malware first creates a 7zip process to unzip the .arj file. Once the archived file is unzipped the “mv tbn spec-vsl particular.exe” process is created, and the malware continues to infect the device.
The targeted email address does not appear to be a public email and is not listed anywhere on the company’s website. It does not appear to be addressed to any one employee but is possibly a group/department email address. There is no additional context provided for the recipient at this time.
[1]https://www.virustotal.com/gui/file/dbadaf1b1b6d1ec6e6603964f5d3db2c68866e8c745e6507950221a13fc781da/detection
[1] https://www.virustotal.com/gui/file/9585a1ba35d7ddeed73bb36b927a7e7b0a4bf3ff57495b8fa611bb01a22fdfef
[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
Our Experts Say
Dryad Assessment
These analysis results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Pre-empt, don’t just defend
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Weekly Maritime Watchlist
Top 5 Malicious Maritime Subject Lines
| Sender | Malware Sent |
|---|---|
| [email protected] | Exploit:O97M/CVE-2017-11882.ARJ!MTB |
| [email protected] | Probably Heur.HTMLUnescape |
| [email protected] | Trojan:Script/Wacatac.C!ml |
| [email protected] | Trojan:Win32/Occamy.C |
| [email protected] | Trojan:Win32/Wacatac.C!ml |
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.
