vessel impersonation - Transportation - Red Sky Alliance2024-03-29T09:37:54Zhttps://redskyalliance.org/transportation/feed/tag/vessel+impersonationVessel Impersonation and Supply Chain Report / March 2024https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-march-20242024-03-20T21:22:31.000Z2024-03-20T21:22:31.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}12057871866,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057871866,RESIZE_400x{{/staticFileLink}}" width="250" alt="12057871866?profile=RESIZE_400x" /></a>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. Specific vessel names or key words in the transportation supply chain can be queried using our two services and tools. <a href="{{#staticFileLink}}12402921857,original{{/staticFileLink}}">Full report available here.</a></p>
<p> </p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><em><a href="{{#staticFileLink}}12057739499,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057739499,RESIZE_710x{{/staticFileLink}}" width="600" alt="12057739499?profile=RESIZE_710x" /></a><br /> </em></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12402921654,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12402921654,RESIZE_710x{{/staticFileLink}}" width="600" alt="12402921654?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Figure 1. Map displaying location of attacker domains</p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12402921292,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12402921292,RESIZE_710x{{/staticFileLink}}" width="600" alt="12402921292?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;">Figure 2. Map displaying location of victim domains</p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12402921689,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12402921689,RESIZE_710x{{/staticFileLink}}" width="600" alt="12402921689?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;">Figure 3. Distribution of attacker and target domains</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12296665265,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12296665265,RESIZE_710x{{/staticFileLink}}" width="600" alt="12296665265?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Common Transportation Attack Chain Overview</p>
<p style="text-align:center;"> </p>
<p><a href="{{#staticFileLink}}12402921258,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12402921258,RESIZE_710x{{/staticFileLink}}" width="600" alt="12402921258?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12402921266,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong><u>Analysis</u></strong></p>
<p>Five prevalent subject lines seen in our recent query are as follows:</p>
<ul>
<li>[***SPAM*** Score/Req: 07.6/5.0] SG9-DA-V2402-01: MT SEA GULL 9 V2402</li>
<li>[***SPAM*** Score/Req: 09.1/5.0] ROQ // NYMPH THETIS V2402B - PORT</li>
<li>SG9-DA-V2402-01: MT SEA GULL 9 V2402 CALL DUMAI, INDONESIA FORLOADING 10300MT CPO// Local agent</li>
<li>ROQ // NYMPH THETIS V2402B - PORT KLANG / BENZENE LOADING</li>
<li>URGENT MT TBA / Load 10kt crude at Pasir Gudang / Star Marine Services Ltd</li>
</ul>
<p><a href="{{#staticFileLink}}12402920486,RESIZE_930x{{/staticFileLink}}"><img class="align-left" style="padding:10px;" src="{{#staticFileLink}}12402920486,RESIZE_400x{{/staticFileLink}}" width="400" alt="12402920486?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>There are several themes generally represented by the subject lines seen. Specifically, in this month’s query we see primarily load notifications. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. In our most recent query, we saw Indian and Iranian shipping agencies, a carburetor restoration shop, a Greek food technology consulting group, and a medical supply company in Kuwait.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels we have seen being impersonated by these emails in recent weeks include the following:</p>
<ul>
<li>Nymph Thetis (pictured above), which is a chemical tanker currently en route to Port Klang, Malaysia and is sailing under the flag of Liberia.</li>
<li>Sea Gull 9, which is another chemical tanker currently en route to Padang, Indonesia and is sailing under the flag of Belize.</li>
</ul>
<p> </p>
<p> </p>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>Zmutzy.1081 - ALYac</li>
<li>MSIL/Kryptik.AKKQ - ESET-NOD32</li>
<li>Win32:CrypterX-gen [Trj] – Avast</li>
<li>GenericKDZ.103962 – BitDefender</li>
<li>Html.Iframe.udgq - NANO-Antivirus</li>
</ul>
<p>Many of these detections such as Trojan.Zmutzy or Trojan.GenericKDZ are indicative of generic trojans which could be deployed for a variety of purposes such as establishing remote connections to a system, capturing keystrokes, etc. We have seen a consistent level of these trojan variants since 2017. Win32:CrypterX is also seen in the supply chain section detailed below, but MSIL/Kryptik.AKKQ, which can be identified as the same detection depending on the engine, is a fairly new detection we have been seeing since December of last year. Exploit.Html.Iframe, which is a trojan intending to exploit vulnerabilities in iframe tags on webpages, we have been seeing since 2017, with high levels of activity occurring in the first half of 2021.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>DHL SHIPMENT ARRIVAL PARCEL NO: 116466788</li>
<li>Business Inquiry:RE: RE: Invoice & Signed Contract -NEW ORDER-088408</li>
<li>Outstanding Invoice</li>
<li>DHL SHIPMENT ARRIVAL PARCEL NO: 870466754</li>
<li>Re:Cancelling Purchase Order</li>
</ul>
<p>Much like maritime related emails, we can see several themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see invoice notifications, purchase orders, and shipping document notifications. These emails can also contain impersonations of companies in many industries. In our most recent query, we saw multiple shipping companies, a financial services provider, a Romanian power company, an electronics distributor in Kazakhstan, a German law firm, and a notary firm.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTML/Phishing.AHR0!tr – Fortinet</li>
<li>PDF/Phishing.A.Gen - ESET-NOD32</li>
<li>Win32:PWSX-gen [Trj] – Avast</li>
<li>HTML.Doc – Ikarus</li>
<li>Win32:CrypterX -gen [Trj] - Avast</li>
</ul>
<p>As is generally the case with more vague supply chain related emails, the detections appear to be primarily focused around phishing efforts. Detection like Phishing.HTML and its numerous variants we have been seeing for over ten years. PDF/Phishing variants we see commonly throughout the year, with spikes generally occurring in earlier months or later months. We have seen a fairly consistent detection rate of Win32:PWSX since 2019, with the heaviest activity occurring in the summer of 2022. A similar pattern holds for Win32:CrypterX variants.</p>
<p><a href="{{#staticFileLink}}12402920858,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12402920858,RESIZE_710x{{/staticFileLink}}" width="600" alt="12402920858?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12402921457,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious cyber matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are daily developing new techniques to evade current detection. This supports our recommendation of daily cyber diligence. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}12057693057,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057693057,RESIZE_400x{{/staticFileLink}}" width="400" alt="12057693057?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><strong><u><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></u></strong></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation and Supply Chain Report / February 2024https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-february-20242024-02-21T20:44:56.000Z2024-02-21T20:44:56.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}12057871866,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057871866,RESIZE_400x{{/staticFileLink}}" width="250" alt="12057871866?profile=RESIZE_400x" /></a>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. <a href="{{#staticFileLink}}12385861700,original{{/staticFileLink}}">Full report available here.</a></p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><a href="{{#staticFileLink}}12057739499,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057739499,RESIZE_710x{{/staticFileLink}}" width="600" alt="12057739499?profile=RESIZE_710x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><em> </em><a href="{{#staticFileLink}}12385861099,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12385861099,RESIZE_710x{{/staticFileLink}}" width="600" alt="12385861099?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Figure 1. Map displaying location of attacker domains</p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12385861468,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12385861468,RESIZE_710x{{/staticFileLink}}" width="600" alt="12385861468?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;">Figure 2. Map displaying location of victim domains</p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12385861664,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12385861664,RESIZE_710x{{/staticFileLink}}" width="600" alt="12385861664?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;">Figure 3. Distribution of attacker and target domains</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12296665265,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12296665265,RESIZE_710x{{/staticFileLink}}" width="600" alt="12296665265?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Common Transportation Attack Chain Overview</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12385861071,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12385861071,RESIZE_710x{{/staticFileLink}}" width="600" alt="12385861071?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12385861882,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Analysis</strong></p>
<p>Five prevalent subject lines seen in our recent query are as follows:</p>
<ul>
<li>#001TW Purchase Order FG-20220831 for Air & Sea Shipments FOB & CIF</li>
<li>[External Mail] AGENCY APPOINTMENT // PDA REQUEST</li>
<li>RE: Ship date improvement PO 113159</li>
<li>RE: New Order 4x60ft container RFQ</li>
<li>RE: INQUIRY FOR FULL CONTAINER 20FT/40FT//7389927367/UAE</li>
</ul>
<p><a href="{{#staticFileLink}}12385860482,RESIZE_710x{{/staticFileLink}}"><img class="align-left" style="padding:10px;" src="{{#staticFileLink}}12385860482,RESIZE_400x{{/staticFileLink}}" width="400" alt="12385860482?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>There are several themes generally represented by the subject lines seen. Specifically, in this month’s query we see primarily notifications for documents, shipments, and invoices. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. In our most recent query, we multiple shipping and logistics companies, an automation manufacturer, a Californian property management company, and a fabrication supply storefront.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels we have seen being impersonated by these emails in recent weeks include the following:</p>
<ul>
<li>Efendi Baba (pictured above), which is a container ship that has not been in service since 2017.</li>
<li>Feng De Hai (pictured below), which is a bulk carrier currently en route to the port of Gibraltar and is sailing under the flag of Hong Kong.</li>
</ul>
<p> </p>
<p> </p>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>Win32.Office_Dl.11024199 – Tencent</li>
<li>Generic.D43ED54B – Arcabit</li>
<li>Outbreak – Ikarus</li>
<li>Troj/Krypt-ABH – Sophos</li>
<li>HEUR:Trojan.Script.Generic - Kaspersky</li>
</ul>
<p>As is generally the case with these emails, malware detections found generally belong to families of generic trojans. Trojan.Win32.Office detections are generally associated with malicious Office files with exploits intended for remote code execution or information stealing. We have seen these related detections since early 2016, with the heaviest spike of activity occurring in early 2021.<strong> </strong>The case is similar with the other generic trojans listed such as the Trojan.Generic variant or the Win32.Outbreak. Interestingly, we see that variants of all the detections listed appeared to have higher levels of activity in early to mid 2001.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>RE: Invoice</li>
<li>PURCHASE ORDER</li>
<li>Proforma Invoice</li>
<li>SWIFT invoice corrections</li>
<li>DHL SHIPMENT ARRIVAL PARCEL NO: 116466788</li>
</ul>
<p><a href="{{#staticFileLink}}12385862256,RESIZE_710x{{/staticFileLink}}"><img class="align-left" style="padding:10px;" src="{{#staticFileLink}}12385862256,RESIZE_400x{{/staticFileLink}}" width="400" alt="12385862256?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>Much like maritime related emails, we can see several themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see invoice notifications, purchase orders, and shipping document notifications. These emails can also contain impersonations of companies in many industries. In our most recent query, we saw multiple shipping companies, the city council of Kamianske in Ukraine, a sustainable building material manufacturer, a medical supply and training provider, and an electronics manufacturer.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTML/Phish.GLC – Varist</li>
<li>Other:Malware-gen [Trj] – Avast</li>
<li>Outbreak - Ikarus</li>
<li>Ks.Malware.6115 – Kingsoft</li>
<li>Zmutzy.1305 - ALYac</li>
</ul>
<p> </p>
<p>In general, malware detections associated with more general supply chain emails often have more of a phishing focus, which we can see from the HTML/Phish detection. We have seen HTML/Phish variant detections since early 2016, though the number of detections has been relatively light since the summer of 2022. The Script.Ks.Malware detection is worthy of note here because these detections have surfaced only in the last few months and are only detected by Kingsoft. In many cases, these detections are false positives.</p>
<p> </p>
<p><a href="{{#staticFileLink}}12385860082,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12385860082,RESIZE_710x{{/staticFileLink}}" width="600" alt="12385860082?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12385860101,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious cyber matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are daily developing new techniques to evade current detection. This supports our recommendation of daily cyber diligence. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}12057693057,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057693057,RESIZE_400x{{/staticFileLink}}" width="400" alt="12057693057?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><strong><u><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></u></strong></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation and Supply Chain Report / January 2024https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-january-20242024-01-22T21:39:46.000Z2024-01-22T21:39:46.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><strong><a href="{{#staticFileLink}}12057871866,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057871866,RESIZE_400x{{/staticFileLink}}" width="250" alt="12057871866?profile=RESIZE_400x" /></a></strong></p>
<p>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. <a href="{{#staticFileLink}}12364603685,original{{/staticFileLink}}">Full report available here.</a></p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><a href="{{#staticFileLink}}12057739499,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057739499,RESIZE_710x{{/staticFileLink}}" width="600" alt="12057739499?profile=RESIZE_710x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><em><br /> </em></p>
<p><a href="{{#staticFileLink}}12364603064,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12364603064,RESIZE_710x{{/staticFileLink}}" width="600" alt="12364603064?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Figure 1. Map displaying location of attacker domains</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12364603262,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12364603262,RESIZE_710x{{/staticFileLink}}" width="600" alt="12364603262?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Figure 2. Map displaying location of victim domains</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12364603281,RESIZE_710x{{/staticFileLink}}"><img src="{{#staticFileLink}}12364603281,RESIZE_710x{{/staticFileLink}}" width="600" alt="12364603281?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Figure 3. Distribution of attacker and target domains</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12296665265,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12296665265,RESIZE_710x{{/staticFileLink}}" width="600" alt="12296665265?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Common Transportation Attack Chain Overview</p>
<p> </p>
<p><a href="{{#staticFileLink}}12364602267,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12364602267,RESIZE_710x{{/staticFileLink}}" width="600" alt="12364602267?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12364602472,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>Maersk : Arrival Notice ready for Bill of Lading 209530072.</li>
<li>[External Mail] AGENCY APPOINTMENT // PDA REQUEST</li>
<li>Maersk Line: B/L DRAFT & P/L & Invoice</li>
<li>Material For shipment / Maersk-Line-Logistic</li>
<li>B/L-DOCUMENT FROM MAERSK-LINE LOGISTICS</li>
</ul>
<p><a href="{{#staticFileLink}}12364602053,RESIZE_710x{{/staticFileLink}}"><img class="align-left" style="padding:10px;" src="{{#staticFileLink}}12364602053,RESIZE_400x{{/staticFileLink}}" width="400" alt="12364602053?profile=RESIZE_400x" /></a>There are several themes generally represented by the subject lines seen. Specifically, in this month’s query we see primarily notifications for documents, shipments, and invoices. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. In our most recent query, we saw an Italian bakery equipment manufacturer, a behavioral health assessment company in Rhode Island, multiple shipping companies, a Chinese logistics brokerage, and a Chinese email provider.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels we have seen being impersonated by these emails in recent weeks include the following:</p>
<ul>
<li>Cosco Shipping Alps (pictured above), which is a cargo ship currently en route to Kaohsiung, Taiwan and is sailing under the flag of Hong Kong.</li>
<li>TOI Challenger (pictured below), which is a general cargo ship currently en located in Bari, Italy and is sailing under the flag of Liberia.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>Ks.Malware.249 – Kingsoft</li>
<li>JS/Cryxos.8405!tr – Fortinet</li>
<li>UDS:DangerousObject.Multi.Generic – Kaspersky</li>
<li>Trojan:MSIL/SnakeKeyLogger.RDAN!MTB – Microsoft</li>
<li>EML/Phishing.3FC3!tr - Fortinet</li>
</ul>
<p>Script.Ks.Malware detections we have been seeing since April of this year. As we have previously mentioned, this detection is worthy of further investigation given that this detection often happens as a false positive from Kingsoft. JS/Cryxos detections we have seen since early 2020, with the highest detection numbers occurring in April of 2021. UDS:DangerousObject.Multi detections we have seen off and on since 2018. This detection appeared more consistently throughout 2022. This detection has been reported as a false positive in some cases and can be associated with games that use code injection techniques. Trojan:MSIL/SnakeKeyLogger, as the name implies, is a keylogger malware that is typically spread via phishing. We have seen this detection since early 2021, with the heaviest rate of detection occurring in March of 2021. EML/Phishing is a fairly recent detection that we have only been seeing since September of last year.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>FW: Arrival Notice / Shipping Documents / Original BL, Invoice & Packing List</li>
<li>PLEASE FIND THE ATTACHED PURCHASE ORDER URGENTLY NEEDED.</li>
<li>Al Rouba Purchase Order MO2101358-2022.</li>
<li>DHL AWB Arrival Notice #91773.</li>
<li>Fwd: Re: PO Invoice XJ210821Q PR 45258</li>
</ul>
<p><a href="{{#staticFileLink}}12364602066,RESIZE_710x{{/staticFileLink}}"><img class="align-left" style="padding:10px;" src="{{#staticFileLink}}12364602066,RESIZE_400x{{/staticFileLink}}" width="400" alt="12364602066?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>Much like maritime related emails, we can see several themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see invoice notifications, purchase orders, and shipping document notifications. These emails can also contain impersonations of companies in many industries. In our most recent query, we saw a Saudi Arabian catering company, multiple shipping companies, a cyber security consulting agency, a Malaysian metal forger, and an Asian electronics manufacturer.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>Ks.Malware.249 – Kingsoft</li>
<li>HTML.Doc – Ikarus</li>
<li>HEUR:Trojan.Script.Generic – ZoneAlarm</li>
<li>HTML:Phishing-CTV [Phish] – Avast</li>
<li>HTML/Phishing.Gen - ESET-NOD32</li>
</ul>
<p> </p>
<p>As is generally the case with supply chain detections, the majority of what we see is generic trojans with a preference towards phishing operations. Phishing.HTML.Doc and its variants we have seen since 2016 with detection spikes occurring in early 2021 and the summer of 2022. Phishing.HTML.Doc, HEUR:Trojan.Script.Generic, HTML:Phishing-CTV, and HTML/Phishing.Gen can all represent the same detection, depending on which vendor is reporting the detection.</p>
<p><a href="{{#staticFileLink}}12364601095,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12364601095,RESIZE_710x{{/staticFileLink}}" width="600" alt="12364601095?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12364601659,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious cyber matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are daily developing new techniques to evade current detection. This supports our recommendation of daily cyber diligence. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}12057693057,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057693057,RESIZE_400x{{/staticFileLink}}" width="400" alt="12057693057?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><strong><u><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></u></strong></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation and Supply Chain Report / December 2023https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-december-20232023-12-21T21:06:41.000Z2023-12-21T21:06:41.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}12332374100,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12332374100,RESIZE_400x{{/staticFileLink}}" alt="12332374100?profile=RESIZE_400x" width="250" /></a>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. <a href="{{#staticFileLink}}12332375077,original{{/staticFileLink}}">Full report available here.</a></p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><a href="{{#staticFileLink}}12332373700,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12332373700,RESIZE_710x{{/staticFileLink}}" alt="12332373700?profile=RESIZE_710x" width="600" /></a></p>
<p><em> </em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12332374458,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12332374458,RESIZE_710x{{/staticFileLink}}" alt="12332374458?profile=RESIZE_710x" width="600" /></a></p>
<p style="text-align:center;">Figure 1. Map displaying location of attacker domains</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12332374658,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12332374658,RESIZE_710x{{/staticFileLink}}" alt="12332374658?profile=RESIZE_710x" width="600" /></a></em>Figure 2. Map displaying location of victim domains</p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12332374482,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12332374482,RESIZE_710x{{/staticFileLink}}" alt="12332374482?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;">Figure 3. Distribution of attacker and target domains</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12332374861,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12332374861,RESIZE_710x{{/staticFileLink}}" alt="12332374861?profile=RESIZE_710x" width="600" /></a>Common Transportation Attack Chain Overview</p>
<p> </p>
<p><a href="{{#staticFileLink}}12332373852,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12332373852,RESIZE_710x{{/staticFileLink}}" alt="12332373852?profile=RESIZE_710x" width="600" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12332374058,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>RE: CARGO POLIC INV.DN/2324/0001817 DT.06.12.23</li>
<li>RE: CARGO POLIC INV.DN/2324/0001817 DT.28.11.23</li>
<li>Re: REQUIRED SHIPPING LINE INVOICE AND DO TO RELEASE CARGO</li>
<li>CMA Cargo-06432713 XINU4019108 - Bill NAM6432713</li>
<li>CONTRACT + LC INSTRUCTION / VSL FOR DEC-JAN DELIVERY, CFR ZHAPU / AETH1205-23S</li>
</ul>
<p><a href="{{#staticFileLink}}12332373094,RESIZE_930x{{/staticFileLink}}"><img class="align-left" style="padding:15px;" src="{{#staticFileLink}}12332373094,RESIZE_400x{{/staticFileLink}}" alt="12332373094?profile=RESIZE_400x" width="350" /></a></p>
<p>There are several themes generally represented by the subject lines seen. Specifically, in this month’s query we see primarily invoice notifications. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. In our most recent query, we saw a Mumbaikar chemical trader, a Zimbabwean printing company, and a Mediterranean shipping company.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels we have seen being impersonated by these emails in recent weeks include the following:</p>
<ul>
<li>Loire River (pictured left), which is a general cargo ship currently enroute to Galati, Romania and is sailing under the flag of Panama.</li>
<li>Xin Hai Tong 22 (pictured below), which is a bulk carrier currently enroute to Lagos, Nigeria and is sailing under the flag of Hong Kong (China).</li>
</ul>
<p> </p>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>Ks.Malware.249 – Kingsoft</li>
<li>Troj/Krypt-ABH – Sophos</li>
<li>Troj.MSOffice.2022001 – Kingsoft</li>
<li>Other:SNH-gen [Phish] – AVG</li>
<li>Artemis!4BFE7E11AFBD - McAfee</li>
</ul>
<p><a href="{{#staticFileLink}}12332375455,RESIZE_930x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}12332375455,RESIZE_400x{{/staticFileLink}}" alt="12332375455?profile=RESIZE_400x" width="350" /></a>Many of the prevalent detections in our most recent query are representative of generic trojans, such as Script.Ks.Malware, Troj/Krypt, and Other:SNH-gen. Script.Ks.Malware we have only been seeing since earlier this year, while Troj/Krypt we have been seeing since 2017 with detection spikes occurring in the later half of 2017 and early 2021. Other:SNH-gen we have seen since early 2021, which is where most of its activity seems to have taken place. MSOffice trojan variants generally refer to malicious files that are capable of running PowerShell commands or activating remote code execution through exploits in Office programs. Script.Troj.MSOffice specifically we have only been seeing in the last few months. And Artemis detection from McAfee is generally indicative of a generic trojan which has been quarantined on a system.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>Fw: Purchase order 2023</li>
<li>Fwd: Re: PO Invoice XJ210821Q PR 45258</li>
<li>???Purchase Order: 100534-PO#2500006039</li>
<li>New DHL Shipment Document Arrival Notice</li>
<li>Your Pending Shipment#/Invoice & Packing List</li>
</ul>
<p>Much like maritime related emails, we can see several themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see invoice notifications, purchase orders, and shipping document notifications. These emails can also contain impersonations of companies in many industries. In our most recent query, we saw multiple shipping and logistics companies, a UK microwave and RF manufacturer, and a pet clinic chain.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HEUR:Trojan.Script.Generic - ZoneAlarm</li>
<li>HTML.Doc – Ikarus</li>
<li>Ks.Malware.249 – Kingsoft</li>
<li>HTMLUnescape – Zoner</li>
<li>Outbreak - Ikarus</li>
</ul>
<p>Much like with the maritime focused detections above, we see that the prevalent supply chain detections in our recent query are primarily generic trojans like HEUR:Trojan.Script.Generic, Phishing.HTML.Doc, or Script.Ks.Malware.249. Both HEUR:Trojan.Script.Generic and Phishing.HTML.Doc we have seen a multitude of variants of since 2016. </p>
<p>Heur.HTMLUnescape detections are often associated with phishing attempts, and we have been seeing related detections since early 2020, with the highest level of activity occurring in the middle months of 2021. Win32.Outbreak is a backdoor trojan capable of giving a threat actor unauthorized access to a target’s machine. This detection we have seen since 2016, with the highest level of activity occurring at the start of 2021.</p>
<p style="text-align:center;"> <a href="{{#staticFileLink}}12332372500,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12332372500,RESIZE_710x{{/staticFileLink}}" alt="12332372500?profile=RESIZE_710x" width="600" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12332373072,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious cyber matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are daily developing new techniques to evade current detection. This supports our recommendation of daily cyber diligence. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}12332372662,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12332372662,RESIZE_400x{{/staticFileLink}}" alt="12332372662?profile=RESIZE_400x" width="400" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><strong><u><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></u></strong></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation and Supply Chain Report / November 2023https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-november-20232023-11-21T20:52:24.000Z2023-11-21T20:52:24.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}12296666098,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12296666098,RESIZE_400x{{/staticFileLink}}" width="250" alt="12296666098?profile=RESIZE_400x" /></a>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. <a href="{{#staticFileLink}}12296666086,original{{/staticFileLink}}">Full report available here.</a></p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><a href="{{#staticFileLink}}12296665283,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12296665283,RESIZE_710x{{/staticFileLink}}" width="600" alt="12296665283?profile=RESIZE_710x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><em> <a href="{{#staticFileLink}}12296665299,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12296665299,RESIZE_710x{{/staticFileLink}}" width="600" alt="12296665299?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;">Figure 1. Map displaying location of attacker domains</p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12296665697,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12296665697,RESIZE_710x{{/staticFileLink}}" width="600" alt="12296665697?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;">Figure 2. Map displaying location of victim domains</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em> <a href="{{#staticFileLink}}12296666077,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12296666077,RESIZE_710x{{/staticFileLink}}" width="600" alt="12296666077?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;">Figure 3. Distribution of attacker and target domains</p>
<p style="text-align:center;"> </p>
<p><a href="{{#staticFileLink}}12296665265,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12296665265,RESIZE_710x{{/staticFileLink}}" width="700" alt="12296665265?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Common Attack Chain Overview</p>
<p> </p>
<p><a href="{{#staticFileLink}}12296665072,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12296665072,RESIZE_710x{{/staticFileLink}}" width="600" alt="12296665072?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12296665458,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>VSL: VM Accord, ORDER: TKHA-A88160011B</li>
<li>RE: NVA/IST/00892 : SB No. 3131684 : JOB NO.164///RE: BMIIST23-26970 - TAJ-2023-2 - //NHAVA SHEVA-AMBARLI--LCL-EXW//</li>
<li>Pre-Alert: LCL shpt for C/COOL GIFT.....ABC115418</li>
<li>CARGO ARRIVAL NOTICE 03-11-2023</li>
<li>Shipment BL :Cargo Loading, BL : 5092663*** Container</li>
</ul>
<p><a href="{{#staticFileLink}}12296664491,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12296664491,RESIZE_400x{{/staticFileLink}}" width="250" alt="12296664491?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see shipping notifications, invoice notifications, and cargo arrival notices. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. In our most recent query, we saw a Chinese freight forwarding company, multiple shipping and logistics companies, a cable and rope testing facility, and an electronics manufacturer.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels we have seen being impersonated by these emails in recent months include the following:</p>
<p> </p>
<ul>
<li>Star Trader (pictured above), which is a bulk carrier currently en route to Uruguay and sailing under the flag of Bahamas.</li>
<li>Kharis Pegasus (pictured below), which is a general cargo ship currently en route to Malaysia and sailing under the flag of Korea.</li>
<li>Baoshan Hope, which is a general cargo ship recently departed from the Philippines and is sailing under the flag of Panama.</li>
<li>Sun Grace, which is a bulk carrier current en route to Indonesia and is sailing under the flag of Korea.</li>
<li>Good Luck I, which is a bulk carrier currently en route to Singapore and is sailing under the flag of Liberia.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>Ks.Malware.249 – Kingsoft</li>
<li>JS/Redirector.QIL - ESET-NOD32</li>
<li>Generic.D20ACCC4 – Arcabit</li>
<li>GenericKD.69861259 - MicroWorld-eScan</li>
<li>MSIL/Kryptik.ATU!tr - Fortinet</li>
</ul>
<p><a href="{{#staticFileLink}}12296664688,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12296664688,RESIZE_400x{{/staticFileLink}}" width="250" alt="12296664688?profile=RESIZE_400x" /></a>The Script.Ks.Malware.249 detection is a detection we mentioned in the previous report. We have seen similar numbers of detections this month and it is still worth noting that this detection is only reported by Kingsoft and is worth investigating for false positives. JS/Redirector.QIL specifically is a relatively new trojan detection in our system but we have been seeing JS/Redirector variants regularly since late 2022, with a significant number of detections in January. Trojan.Generic variants we have been seeing since late 2016. MSIL/Kryptik.ATU!tr we have been seeing since May of this year specifically, but MSIL/Kryptik variants we have been seeing since early 2020, with a large spike in detections over the summer of 2022.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>FedEx Logistic Shipment notification received</li>
<li>Fwd: Re: PO Invoice XJ210821Q PR 45258</li>
<li>DSV Solutions SRL (RO1) - Otopeni - RO11729920 - 66179922 –</li>
<li>Purchase Order</li>
<li>Payment invoice</li>
</ul>
<p>Much like maritime related emails, we can see several themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see invoice notifications, purchase orders, and shipping document notifications. These emails can also contain impersonations of companies in many industries. In our most recent query, we saw multiple shipping companies, a Kuwaiti hospital, a Portuguese logistics consulting company, a Nigerian industrial consulting company, and a Greek construction company.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTML:PhishingDhl-GH [Phish] – Avast</li>
<li>HTML.Doc – Ikarus</li>
<li>Ks.Malware.249 – Kingsoft</li>
<li>PDF:PhishingX-gen [Phish] – Avast</li>
<li>Trojan:HTML/Phish.SBR!MTB - Microsoft</li>
</ul>
<p>The most prevalent detections in this month’s supply chain query all fall under the phishing banner. HTML branded phishing detections like HTML:PhishingDhl, Phishing.HTML.Doc, and Trojan:HTML/Phish.SBR!MTB we have been seeing since 2016. Trojan:HTML/Phish.SBR!MTB specifically is a new detection, though it is worth noting that it can also be identified as many of the others depending on the vendor. PDF:PhishingX-gen we have been seeing regularly since late summer 2021.</p>
<p><a href="{{#staticFileLink}}12296664263,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12296664263,RESIZE_710x{{/staticFileLink}}" width="600" alt="12296664263?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12296664285,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious cyber matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are daily developing new techniques to evade current detection. This supports our recommendation of daily cyber diligence. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}12296663678,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12296663678,RESIZE_400x{{/staticFileLink}}" width="400" alt="12296663678?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><strong><u><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></u></strong></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation and Supply Chain Report / October 2023https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-october-20232023-10-20T20:38:31.000Z2023-10-20T20:38:31.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><strong><a href="{{#staticFileLink}}12262852665,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12262852665,RESIZE_400x{{/staticFileLink}}" alt="12262852665?profile=RESIZE_400x" width="250" /></a></strong></p>
<p>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. <a href="{{#staticFileLink}}12262853282,original{{/staticFileLink}}">Full report available here.</a></p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><a href="{{#staticFileLink}}12262851901,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12262851901,RESIZE_710x{{/staticFileLink}}" alt="12262851901?profile=RESIZE_710x" width="600" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p style="text-align:center;"><em> <a href="{{#staticFileLink}}12262852679,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12262852679,RESIZE_710x{{/staticFileLink}}" alt="12262852679?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;">Figure 1. Map displaying location of attacker domains</p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12262852693,original{{/staticFileLink}}"><img src="{{#staticFileLink}}12262852693,RESIZE_710x{{/staticFileLink}}" alt="12262852693?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;">Figure 2. Map displaying location of victim domains</p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12262852878,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12262852878,RESIZE_710x{{/staticFileLink}}" alt="12262852878?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;">Figure 3. Distribution of attacker and target domains</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12262852899,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12262852899,RESIZE_710x{{/staticFileLink}}" alt="12262852899?profile=RESIZE_710x" width="600" /></a></p>
<p style="text-align:center;">Figure 4. Common Attack Chain Overview</p>
<p> </p>
<p><a href="{{#staticFileLink}}12262851657,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12262851657,RESIZE_710x{{/staticFileLink}}" alt="12262851657?profile=RESIZE_710x" width="600" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12262851681,original{{/staticFileLink}}">Full table attached.</a></p>
<p> </p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>MOST URGENT: VESSEL HAS ARRIVED: Copy of document required : CFIMKAT2308122 arrival on 04-10-2023</li>
<li>Deer Park permit 5101 deck O\'Leary July 2023.xls</li>
<li>MV BERDEN - ORIGINAL DOCUMENTS</li>
<li>PO# FCL-SL23-09 Yaosheng quotation SEA-FCL....104.168.142.103</li>
<li>Re: RV: REVISED EPDA & JULY - AUGUST SOA //23461//-2023 MV OCEAN GLORY 60DAYS CREDIT TERMS</li>
</ul>
<p><a href="{{#staticFileLink}}12262851458,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12262851458,RESIZE_400x{{/staticFileLink}}" alt="12262851458?profile=RESIZE_400x" width="400" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see shipping document requests and quotes, arrival notices, and document update notifications. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. In our most recent query, we saw freight companies, logistics management companies, a pager manufacturer, and an automation technology manufacturer.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<p> </p>
<p> </p>
<ul>
<li>Ipsea Colossus (pictured above), which is a bulk carrier currently en route to IDMLB and is sailing under the flag of Singapore.</li>
<li>Efendi Baba (pictured below), which is a container ship that is no longer in service and previously sailed under the flag of Turkey.</li>
<li>Berden, which is a bulk carrier currently en route to Tuapse, Russia and is sailing under the flag of Marshall Islands.</li>
<li>Cartagena Express, which is a container ship currently en route to Santos, Brazil and is sailing under the flag of Germany.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>PDF:PhishingX-gen [Phish] – AVG</li>
<li>Troj.MSOffice.2022001 – Kingsoft</li>
<li>Win32:DropperX-gen [Drp] – AVG</li>
<li>CVE-2018-0798.4 – DrWeb</li>
<li>HTML:Phishing-CSO [Phish] - Avast</li>
</ul>
<p><a href="{{#staticFileLink}}12262851284,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12262851284,RESIZE_400x{{/staticFileLink}}" alt="12262851284?profile=RESIZE_400x" width="300" /></a>PDF:PhishingX-gen is a detection we have seen since late 2021, with the most occurrences showing in the early summer of this year. Script.Troj.MSOffice.2022001, which is indicative of a malicious MS Office document, is a detection we have only seen specifically in the last month, though it can also be identified as Exploit.CVE-2018-0802.Gen, which we see a large number of between 2021 and 2022. Win32:DropperX-gen is a trojan detection that we have been seeing since 2019, with the heaviest detection occurring in the summer of 2022. Exploit.CVE-2018-0798.4 is an exploit of the equation editor in select versions of Microsoft Office products that allows remote code execution. This detection we have seen since early 2022. HTML:Phishing-CSO specifically we have been seeing since July, though it is worth mentioning that this can also be identified as Phishing.HTML.Doc which we have seen for much longer.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>PROFORMA INVOICE sent via wetransfer</li>
<li>FW:PROFORMA INVOICE</li>
<li>[info] Purchase Order #88392</li>
<li>DSV Solutions SRL (RO1) - Otopeni - RO8119502 - 6403211820 –</li>
<li>FedEx Shipping Documents</li>
</ul>
<p>Much like maritime related emails, we can see several themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see invoice notifications, purchase orders, and shipping document notifications. These emails can also contain impersonations of companies in many industries. In our most recent query, we saw shipping companies, a Greek dialysis care unit, a Serbian health data management company, and work clothing manufacturers.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>Ks.Malware.249 – Kingsoft</li>
<li>HTML/Phish.05F9!phish – Fortinet</li>
<li>Agent.GGUT – BitDefender</li>
<li>HTML:PhishingAdb-JC [Phish] – Avast</li>
<li>Script.Iframe.hqvxv - NANO-Antivirus</li>
</ul>
<p>Script.Ks.Malware.249 we have been seeing since April of this year, with the largest number of detections occurring in the last month. It is worth mentioning here that this detection is only reported by Kingsoft and could be worth investigating as a false positive. HTML/Phish.05F9!phish is a detection specifically we have been seeing only in the last month, but we have seen HTML/Phish variants since 2016, with the most occurrences being in 2023. Similarly, Trojan.Agent.GGUT we have only seen detections for in the last month, but this detection can also be identified as a variety of “phishing” detections, such as Phishing.HTML.Doc, similar to HTML:PhishingAdb-JC. A Trojan.Script.Iframe.hqvxv detection indicates the presence of malicious JavaScript code in a webpage, in this case embedding malicious code into an iframe with the intent on misdirecting the user to a certain location or displaying unsolicited content. This detection we have seen since 2017, though it’s occurrences were few and far between until May of this year, where it became more consistent.</p>
<p><br /> <a href="{{#staticFileLink}}12262850700,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12262850700,RESIZE_710x{{/staticFileLink}}" alt="12262850700?profile=RESIZE_710x" width="600" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12262851863,original{{/staticFileLink}}">Full table attached.</a></p>
<p style="text-align:center;"> </p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious cyber matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are daily developing new techniques to evade current detection. This supports our recommendation of daily cyber diligence. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}12262850665,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12262850665,RESIZE_400x{{/staticFileLink}}" alt="12262850665?profile=RESIZE_400x" width="400" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><strong><u><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></u></strong></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation and Supply Chain Report / September 2023https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-september-20232023-09-20T21:11:21.000Z2023-09-20T21:11:21.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><strong><a href="{{#staticFileLink}}12228654674,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12228654674,RESIZE_400x{{/staticFileLink}}" width="250" alt="12228654674?profile=RESIZE_400x" /></a></strong></p>
<p>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. <a href="{{#staticFileLink}}12228655498,original{{/staticFileLink}}">Full report available here.</a></p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><em><a href="{{#staticFileLink}}12228654497,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12228654497,RESIZE_710x{{/staticFileLink}}" width="600" alt="12228654497?profile=RESIZE_710x" /></a> </em></p>
<p><em><br /> </em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12228653890,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12228653890,RESIZE_710x{{/staticFileLink}}" width="600" alt="12228653890?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12228654462,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12228654462,RESIZE_710x{{/staticFileLink}}" width="600" alt="12228654462?profile=RESIZE_710x" /></a></em><em>Figure 2. Map displaying location of victim domains</em></p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12228653863,RESIZE_930x{{/staticFileLink}}"><img src="{{#staticFileLink}}12228653863,RESIZE_710x{{/staticFileLink}}" width="600" alt="12228653863?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em>Figure 3. Distribution of attacker and target domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12228653679,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12228653679,RESIZE_710x{{/staticFileLink}}" width="600" alt="12228653679?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12228653492,original{{/staticFileLink}}">Full table attached.</a></p>
<p style="text-align:center;"> </p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>Re: DELIVERY DOCUMENTATION REVISION: OCEAN Booking // MAERSK Shipping - New B/L#: 7658677410</li>
<li>CARGO ARRIVAL NOTICE</li>
<li>PO# FCL-SL23-09 Yaosheng quotation SEA-FCL</li>
<li>Re: DOCUMENT UPDATE: SHIPPING: OCEAN Booking // MAERSK Shipping - New B/L#: 8365817455</li>
<li>#:SCAN ORIGINAL MEDITERRANEAN SHIPPING DOCS-MSC///2970</li>
</ul>
<p><a href="{{#staticFileLink}}12228653281,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12228653281,RESIZE_400x{{/staticFileLink}}" width="300" alt="12228653281?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see shipping document requests and quotes, arrival notices, and document update notifications. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. </p>
<p>In terms of the sending emails themselves, we can see impersonations of companies in many industries. In our most recent query, we saw a UK energy company, a global trade business consultant, and the National Organization for Women.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<p> </p>
<ul>
<li>Berden (pictured above), which is a bulk carrier currently en route to Karachi Pakistan and is sailing under the flag of Marshall Islands.</li>
<li>Zorina (pictured below), which is a bulk carrier currently en route to Tanjung Pemancingan and is sailing under the flag of Panama.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>HTML/Phishing.Agent.EOB - ESET-NOD32</li>
<li>GenericKD.65866227 – BitDefender</li>
<li>HEUR:Trojan.Script.Generic – ZoneAlarm</li>
<li>HTML/Phishing.Agent.EGH - ESET-NOD32</li>
<li>JS.Phishing.DB - VIPRE</li>
</ul>
<p>This month’s detections are indicative of a clear abundance of phishing attempts with maritime impersonation emails in the last thirty days. HTML/Phishing.Agent.EOB appears to be a fairly new trojan detection that we have only seen in the last month. HEUR:Trojan.Script.Generic, on the other hand, is a detection we have been seeing since 2016, with the highest numbers of activity occurring in the summer months of 2017 and 2020. HTML/Phishing.Agent.EGH is also a fairly recent detection that we have seen since May, but it more commonly identified as Trojan.JS.Phishing.DB. Trojan.GenericKD variations we have also seen since 2016, with high levels of activity in the summer months of 2019 and 2022.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. </p>
<p>The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>Re: Required Invoice Copies for GST Compliances for FY 22-23</li>
<li>Urgent: Overdue Invoice - Immediate Payment Required (Invoice Attached)</li>
<li>Urgent: Settle Invoice to Prevent Legal Action</li>
<li>Long Overdue Invoice</li>
<li>FW: UNPAID-OVERDUE INVOICE NEED TO BE SELTTLED</li>
</ul>
<p>Much like maritime related emails, we can see several themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see invoice notifications and overdue notices. These emails can also contain impersonations of companies in many industries. In our most recent query, we saw a European economic consulting firm, a Vietnamese garment manufacturer, a Chinese freight forwarder, and several shipping companies.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTML/Phish.GVA – Cyren</li>
<li>HTML.Doc – Ikarus</li>
<li>Trojan:Script/Wacatac.B!ml – Microsoft</li>
<li>HTML/Phish.6571!tr – Fortinet</li>
<li>HTML/Phishing.Agent.ERX - ESET-NOD32</li>
</ul>
<p><a href="{{#staticFileLink}}12228652879,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12228652879,RESIZE_400x{{/staticFileLink}}" width="300" alt="12228652879?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>Much like with the maritime related detections, the supply chain email detections are showing high phishing activity, though we have found this to be a common trend. HTML/Phish variations we have been seeing since late 2016, though the heaviest activity began in the winter of 2022. The situation is similar with HTML/Phishing variants, except the heaviest levels of activity occurred in late 2020 and early 2021. Phishing.HTML.Doc is one of the most common detections mentioned in our reports and is often a stand in for more specific detections, such as Trojan:Script/Wacatac.B!ml, which we have been seeing since the fall of 2020. </p>
<p>**The highest level of activity we have registered for this detection is in the summer of 2022.</p>
<p> </p>
<p> </p>
<p><a href="{{#staticFileLink}}12228652100,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12228652100,RESIZE_710x{{/staticFileLink}}" width="600" alt="12228652100?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12228652680,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious cyber matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are daily developing new techniques to evade current detection. This supports our recommendation of daily cyber diligence. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}12228651897,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12228651897,RESIZE_400x{{/staticFileLink}}" width="400" alt="12228651897?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation and Supply Chain Report / August 2023https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-august-20232023-08-16T20:46:57.000Z2023-08-16T20:46:57.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><strong><a href="{{#staticFileLink}}12198596881,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12198596881,RESIZE_400x{{/staticFileLink}}" width="250" alt="12198596881?profile=RESIZE_400x" /></a></strong></p>
<p>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. <a href="{{#staticFileLink}}12198597260,original{{/staticFileLink}}">Full report available here.</a></p>
<p> </p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><strong><a href="{{#staticFileLink}}12198596296,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12198596296,RESIZE_710x{{/staticFileLink}}" width="600" alt="12198596296?profile=RESIZE_710x" /></a></strong></p>
<p> </p>
<p> </p>
<p><em> </em></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><a href="{{#staticFileLink}}12198596870,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12198596870,RESIZE_710x{{/staticFileLink}}" width="600" alt="12198596870?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12198596075,original{{/staticFileLink}}"><img src="{{#staticFileLink}}12198596075,RESIZE_710x{{/staticFileLink}}" width="600" alt="12198596075?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p> </p>
<p><a href="{{#staticFileLink}}12198595491,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12198595491,RESIZE_710x{{/staticFileLink}}" width="600" alt="12198595491?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 3. Distribution of attacker and target domains</em></p>
<p> </p>
<p><a href="{{#staticFileLink}}12198595852,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12198595852,RESIZE_710x{{/staticFileLink}}" width="600" alt="12198595852?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12198596058,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>MV TRANS-ASIA I</li>
<li>SHIPPING DOCS FOR REF NO HAMB2200022 VSL# OOCL SHANGHAI 066S FFAU3493855</li>
<li>CLEARANCE/VERIFICATION - FOR CONTAINER REFUND REQUEST</li>
<li>RE: PRE DOCUMENTS OF MV STAR TRADER</li>
<li>Mv Carina, request proforma D/A, Discharging abt 16600 mts of shredded tyres.</li>
</ul>
<p><a href="{{#staticFileLink}}12198595690,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12198595690,RESIZE_400x{{/staticFileLink}}" width="350" alt="12198595690?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see shipping requests, port disbursement requests, and invoices. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. In our most recent query, we saw a Chinese ship management company, a Portuguese tool manufacturer, a Romanian power company, and a Korean sky freight company.</p>
<p> </p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<p> </p>
<p> </p>
<ul>
<li>Star Trader (pictured above), which is a bulk carrier currently en route to CN NJG and is sailing under the flag of Bahamas.</li>
<li>Trans-Asia 1 (pictured below), which was a passenger cargo ship registered to Trans-Asia Sg Line Inc. This vessel has not been in service since 2021.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>CVE-2018-0802.Gen – Arcabit</li>
<li>Siggen.525 – DrWeb</li>
<li>Script.Heuristic-js.iacgm - NANO-Antivirus</li>
<li>HTML.Doc – Ikarus</li>
<li>HTML/Phish.EJD!tr - Fortinet</li>
</ul>
<p><a href="{{#staticFileLink}}12198595286,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}12198595286,RESIZE_400x{{/staticFileLink}}" width="350" alt="12198595286?profile=RESIZE_400x" /></a>We have been seeing Exploit.CVE-2018-0802.Gen detections since early 2018, but the rate of detection did not grow much until early 2021. This detection is in relation to a vulnerability that exists in some version of Microsoft Office’s memory handling and can be used to execute malicious code remotely. The specific Java.Siggen.525 detection we have only been seeing since early this year, but it is worth noting that this detection is also labeled as a generic trojan like HEUR:Trojan.Java.Generic. We have seen Trojan.Script.Heuristic-js.iacgm detections since 2016, with the highest detection rates occurring between late 2016 and late 2016. Minimal numbers of detections have been occurring each month since then. Phishing.HTML.Doc is a returning detection to these reports and is a detection we’ve been seeing since mid-2017. Highest number of detections thus far occurred in the middle months of 2021. HTML/Phish.EJD!tr is a specific detection we have only been seeing in the last few months, but can also be identified as Phishing.HTML.Doc.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>Purchase Order</li>
<li>Al Rouba Purchase Order MO2101358-2022.</li>
<li>PURCHASE ORDER</li>
<li>CONFIRMATION OF INVOICE STATEMENT DURING JULY MONTH</li>
<li>Re: Purchase Order PO-9528 from Naturgy Energy Group S.A</li>
</ul>
<p>Much like maritime related emails, we can see several themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see purchase orders and invoices. These emails can also contain impersonations of companies in many industries. In our most recent query, we saw a Vietnamese grocery store, a German ventilation manufacturer, a Bulgarian auto parts store, a wellness clinic in Colorado in addition to a number of shipping companies.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTML.Doc – Ikarus</li>
<li>HTML:PhishingMS-AGB [Phish] – Avast</li>
<li>HTML/Phish.MS!tr – Fortinet</li>
<li>Generic-HTML.Save.7b263796 – Sangfor</li>
<li>DownLoader.2938 - DrWeb</li>
</ul>
<p>As mentioned in previous reports, detections found in more general supply chain related emails tend to exhibit more focus on phishing malware, as we can see above. Many of those listed are repeat detections from previous reports. Again, Phishing.HTML.Doc is a very common trojan detection and can be an additional identifier for a vast number of specific trojan detections, such as HTML:PhishingMS-AGB, which we have been seeing specifically since late 2022. Similarly, we have been seeing HTML/Phish.MS! since 2019. </p>
<p>Malware.Generic-HTML.Save variants we have been seeing since early 2021, with the highest number of detections occurring in the summer of 2022. W97M.DownLoader variants, which we have seen since 2018 typically involved specially crafted Microsoft Office files that contain malicious macros intended to download additional files to a victim’s machine.</p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12198595082,RESIZE_1200x{{/staticFileLink}}"><img src="{{#staticFileLink}}12198595082,RESIZE_710x{{/staticFileLink}}" width="600" alt="12198595082?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12198595101,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious cyber matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are daily developing new techniques to evade current detection. This supports our recommendation of daily cyber diligence. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}12198594891,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12198594891,RESIZE_400x{{/staticFileLink}}" width="400" alt="12198594891?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation and Supply Chain Report / July 2023https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-july-20232023-07-19T20:49:46.000Z2023-07-19T20:49:46.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><strong><a href="{{#staticFileLink}}12150961474,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12150961474,RESIZE_400x{{/staticFileLink}}" width="250" alt="12150961474?profile=RESIZE_400x" /></a></strong></p>
<p>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. <a href="{{#staticFileLink}}12150962463,original{{/staticFileLink}}">Full report available here.</a></p>
<p> </p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><a href="{{#staticFileLink}}12150961066,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12150961066,RESIZE_710x{{/staticFileLink}}" width="600" alt="12150961066?profile=RESIZE_710x" /></a></p>
<p> </p>
<p> </p>
<p style="text-align:center;"><em><br /> </em></p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12150961284,RESIZE_1200x{{/staticFileLink}}"><img src="{{#staticFileLink}}12150961284,RESIZE_710x{{/staticFileLink}}" width="600" alt="12150961284?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12150961653,RESIZE_1200x{{/staticFileLink}}"><img src="{{#staticFileLink}}12150961653,RESIZE_710x{{/staticFileLink}}" width="600" alt="12150961653?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12150960659,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12150960659,RESIZE_710x{{/staticFileLink}}" width="600" alt="12150960659?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 3. Distribution of attacker and target domains</em></p>
<p> </p>
<p><a href="{{#staticFileLink}}12150960492,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12150960492,RESIZE_710x{{/staticFileLink}}" width="600" alt="12150960492?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12150960483,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>RE: Cargo Unstuffing Confirmation / HBL NoCINNHVD05783 Shipper Name:Ashland Inc. [Canton]</li>
<li>[External Mail] MV GOLDEN SCHULTE AGENCY APPOINTMENT / PDA REQUEST</li>
<li>OOCL Arrival Notice At Final Destination: OOLU4051770254 | COSCO SHIPPING ANDES - 017E</li>
<li>RE: SHIPPING DOCUMENT KARNAPHULI FROM TENTAC HO CHI MINH BY SEA – 20230703</li>
<li>[58ORIGINAL]-#117:MAERSK SHIPPING DOCS-Llproducts~9296</li>
</ul>
<p><a href="{{#staticFileLink}}12150959700,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12150959700,RESIZE_400x{{/staticFileLink}}" width="300" alt="12150959700?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see shipping requests, port disbursement requests, and invoices. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. In our most recent query we saw a Spanish IT consulting company, multiple shipping companies, a Singaporean commodities exporter, a Kyrgyzstani bank, an Uzbek volunteer organizations, and a VOIP provider.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<p> </p>
<ul>
<li>Iolcos Legacy (pictured above), which is a bulk carrier currently located at the port of Imam Khomeini, Iran and is sailing under the flag of Malta.</li>
<li>MSC Qingdao (pictured below), which is a container ship currently en route to the port of Valletta, Malta and is sailing under the flag of Liberia.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>JS/Phish.WH!Eldorado – Cyren</li>
<li>HTML/Phishing.Agent.EJD - ESET-NOD32</li>
<li>Trojan:Win32/Sabsik.FL.B!ml – Microsoft</li>
<li>HEUR:Trojan.MSIL.Injuke.gen – Kaspersky</li>
<li>HTML.Doc - Ikarus</li>
</ul>
<p><a href="{{#staticFileLink}}12150960470,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}12150960470,RESIZE_400x{{/staticFileLink}}" width="400" alt="12150960470?profile=RESIZE_400x" /></a>These emails are typically used for the propagation of generic trojans and their variants. Many of these detections are returning detections from previous reports. JS/Phish.WH!Eldorado we have been seeing since the summer of 2022, with the highest number of detections occurring in the winter and summer months. HTML/Phishing.Agent.EJD is a new detection specific to June of 2023, though it can also be identified as JS/Phish.WH!Eldorado. Trojan:Win32/Sabsik.FL.B!ml we have been seeing since the summer of 2021, with the highest number of detections occurring in the early months of 2022. HEUR:Trojan.MSIL.Injuke.gen is a detection we have been seeing since early 2019. Curiously, the highest number of detections tend to occur in June and July. Phishing.HTML.Doc is a generic detection name for emails containing phishing documents which we have been seeing since before 2018, though the number of detections has increased slightly in the last couple of years.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>(Archive Copy) Re: Re: Fwd: **TOP URGENT** DHL Airwaybill & Shipping Documents</li>
<li>UPS notification : We have been trying to reach you, Please check.</li>
<li>Re: Statement and invoice</li>
<li>STATEMENT INVOICE FOR JULY</li>
<li>REVISED INVOICE</li>
</ul>
<p>Much like maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see shipping notifications, statements, and invoices. These emails can also contain impersonations of companies in many industries. In our most recent query we saw a New Zealand industrial rental service, a textiles manufacturer in Istanbul, a Serbian health information service, a Guatemalan welfare service, several shipping companies, and a LMFT therapist in Georgia.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTML.Doc – Ikarus</li>
<li>DownLoader.2938 – DrWeb</li>
<li>Win32:PWSX-gen [Trj] – AVG</li>
<li>Trojan[Phishing]/HTML.Agent - Antiy-AVL</li>
<li>Kryptik/JS!8.10DBE (TOPIS:E0:GrcAQhlpVVN) - Rising</li>
</ul>
<p>As mentioned in previous reports, detections found in more general supply chain related emails tend to exhibit more focus on phishing malware, as we can see above. Many of those listed are repeat detections from previous reports. Phishing.HTML.Doc was mentioned amongst the detections in the maritime query but is more prevalent here since emails related to our supply chain query tend to have detections more focused on phishing activities. W97M.DownLoader.2938 is a trojan downloader that originates in Microsoft Word documents. We have been seeing this detection since late 2018, with the highest number of detections occurring in the middle months of 2021. Win32:PWSX-gen we have been seeing since 2019 with the largest number of detections occurring over the summer of 2022. Trojan[Phishing]/HTML.Agent we have seen since early 2020, though the number of detections was almost negligible between April 2021 and February of 2023. The Trojan.Kryptik/JS!8.10DBE detection specifically we have only been seeing since late 2022, though it is worth mentioning that this detection can also be identified as Phishing.HTML.Doc depending on the security vendor.</p>
<p><a href="{{#staticFileLink}}12150959465,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12150959465,RESIZE_710x{{/staticFileLink}}" width="600" alt="12150959465?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12150959852,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}12150959083,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12150959083,RESIZE_400x{{/staticFileLink}}" width="400" alt="12150959083?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation and Supply Chain Report / June 2023https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-june-20232023-06-20T20:50:47.000Z2023-06-20T20:50:47.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}12057871866,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057871866,RESIZE_400x{{/staticFileLink}}" width="250" alt="12057871866?profile=RESIZE_400x" /></a>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. <a href="{{#staticFileLink}}12057865276,original{{/staticFileLink}}">Full report available here.</a></p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><strong><a href="{{#staticFileLink}}12057739499,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057739499,RESIZE_710x{{/staticFileLink}}" width="600" alt="12057739499?profile=RESIZE_710x" /></a></strong></p>
<p> </p>
<p> </p>
<p> </p>
<p><em><br /> </em></p>
<p><em> </em></p>
<p><em> </em></p>
<p><em><a href="{{#staticFileLink}}12057751672,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12057751672,RESIZE_710x{{/staticFileLink}}" width="600" alt="12057751672?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12057758698,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12057758698,RESIZE_710x{{/staticFileLink}}" width="600" alt="12057758698?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}12057774281,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12057774281,RESIZE_710x{{/staticFileLink}}" width="600" alt="12057774281?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em>Figure 3. Distribution of attacker and target domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}12057789470,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12057789470,RESIZE_710x{{/staticFileLink}}" width="600" alt="12057789470?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12057852282,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>CARGO ARRIVAL NOTICE 2/6/2023</li>
<li>Bill of Lading for 1x40FT Shipping Documents Outstanding Container Release</li>
<li>CMA CGM BLUE WHALE - 1QY12N1NL PEB COPY MISSING</li>
<li>[***SPAM*** Score/Req: 08.0/5.0] FW: M/V MSC QINGDAO - LASHING ITEMS</li>
<li>Arrival Notice of B/L#MEDUSI938235 on MAERSK ARIA III/JE316A received</li>
</ul>
<p>There are several themes represented by the subject lines seen. Specifically, we can see stock requests, arrival notifications, and bill of lading notifications. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. We see logistics companies, a Chinese part manufacturer, and maritime supply companies.</p>
<p><a href="{{#staticFileLink}}12057818278,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}12057818278,RESIZE_400x{{/staticFileLink}}" width="400" alt="12057818278?profile=RESIZE_400x" /></a>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<ul>
<li>Baoshan Hope (pictured right), which is a general cargo ship currently en route to Keelung, Taiwan and is sailing under the flag of Panama.</li>
<li>Dato Fortune (pictured below), which is a bulk carrier currently located at Sokhna Port Anch and is sailing under the flag of Panama.</li>
<li>MSC Qingdao, which is a container ship currently located at Port Said Arch and is sailing under the flag of Liberia.</li>
<li>Xing Fu Hai, which is a bulk carrier currently en route to Richards Bay, South Africa and is sailing under the flag of Singapore.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>HTML.Phish.aar – ZoneAlarm</li>
<li>Other:SNH-gen [Phish] – Avast</li>
<li>HTML.Doc – Ikarus</li>
<li>HTML/FakeLogin.A!phish – Fortinet</li>
<li>Artemis!239D47EF2B01 - McAfee</li>
</ul>
<p><a href="{{#staticFileLink}}12057837471,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057837471,RESIZE_400x{{/staticFileLink}}" width="350" alt="12057837471?profile=RESIZE_400x" /></a></p>
<p>These emails are typically used for the propagation of generic trojans and their variants. Interestingly, this month’s most prevalent detections are more focused on phishing malware than in previous reports. Hoax.HTML.Phish.aar we have been seeing since the last quarter of 2021. HTML.Phish variants are generally known for being malicious, password-stealing websites much like with Phishing.HTML. Other:SNH-gen [Phish] we have seen consistently since early 2021 with the heaviest occurrences in July of 2022. HTML/FakeLogin.A!phish is a detection name that we have been seeing since fall of 2022 and depending on the identifier of the detection this can also be identified as Other:SNH-gen [Phish]. Artemis!239D47EF2B01 is a detection name that we have only been seeing very recently and appears to be related to MSIL.Keylogger, which is a trojan that is meant to run in the background of a victim’s machine monitoring and logging keyboard activity.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>Re: Proforma Invoice</li>
<li>Payment confirmation: Invoice #2782-</li>
<li>Arrival Notice / Shipping Documents / Original BL, Invoice & Packing List</li>
<li>Urgent Purchase Order 29 May 2023</li>
<li>DHL: AWB Shipment Notification!</li>
</ul>
<p>Much like maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see invoices, purchase orders and delivery confirmations. In terms of the sending emails, we can see a Nigerian print services store, a commercial real estate broker, a compressed air products distributor, an Australian digital marketing firm, and the town of Smithtown, New York.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTML.Doc – Ikarus</li>
<li>HEUR:Trojan.Script.Generic – ZoneAlarm</li>
<li>HTML/Phishing.Office.AO - ESET-NOD32</li>
<li>Trojan[Phishing]/HTML.Agent - Antiy-AVL</li>
<li>Trojan.44094 - CAT-QuickHeal</li>
</ul>
<p>As mentioned in previous reports, detections found in more general supply chain related emails tend to exhibit more focus on phishing malware, as we can see above. Many of those listed are repeat detections from previous reports. Phishing.HTML variants we have been seeing since 2016, with the largest number of detections occurring near the beginning of 2021 and recently at the end of 2022. HEUR:Trojan.Script.Generic we have seen consistently since 2016, with the heaviest activity occurring in the spring/summer months of 2017 and 2020. HTML/Phishing.Office.AO is a relatively new detection name that we have been seeing since the beginning of the year, but depending on the vendor identifying the detection, this can also be seen as another Phishing.HTML variant along with Trojan[Phishing]/HTML.Agent. Script.Trojan variants we have been seeing since 2016, with the heaviest activity occurring in August of 2021 and December of 2022.</p>
<p><a href="{{#staticFileLink}}12057697072,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}12057697072,RESIZE_710x{{/staticFileLink}}" width="600" alt="12057697072?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}12057714662,original{{/staticFileLink}}">Full Table Attached.</a></p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}12057693057,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12057693057,RESIZE_400x{{/staticFileLink}}" width="400" alt="12057693057?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation and Supply Chain Report / May 2023https://redskyalliance.org/transportation/vessel-impersonation-and-supply-chain-report-may-20232023-05-19T16:01:07.000Z2023-05-19T16:01:07.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}11129787883,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11129787883,RESIZE_400x{{/staticFileLink}}" width="250" alt="11129787883?profile=RESIZE_400x" /></a>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. <a href="{{#staticFileLink}}11129789860,original{{/staticFileLink}}">Full report available here.</a></p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><a href="{{#staticFileLink}}11129787087,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}11129787087,RESIZE_710x{{/staticFileLink}}" width="600" alt="11129787087?profile=RESIZE_710x" /></a></p>
<p> </p>
<p><a href="{{#staticFileLink}}11129787279,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}11129787279,RESIZE_710x{{/staticFileLink}}" width="600" alt="11129787279?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}11129787300,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}11129787300,RESIZE_710x{{/staticFileLink}}" width="600" alt="11129787300?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p style="text-align:center;"><em> </em></p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}11129787868,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}11129787868,RESIZE_710x{{/staticFileLink}}" width="600" alt="11129787868?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em>Figure 3. Distribution of attacker and target domains</em></p>
<p> </p>
<p><a href="{{#staticFileLink}}11129786855,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}11129786855,RESIZE_710x{{/staticFileLink}}" width="600" alt="11129786855?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}11129786884,original{{/staticFileLink}}">Full Table Attached</a></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>STOCK REQUEST for 01 x 20\' Container (10 Pallets) –</li>
<li>OOCL Arrival Notice At Final Destination: OOLU2035400734 | COSCO SHIPPING ROSE - 029E</li>
<li>AGENCY APPOINTMENT // PDA REQUEST</li>
<li>Maersk Line Shipping Bill Of Lading Documents</li>
<li>Request for Quotation MV \"High Speed\"</li>
</ul>
<p><a href="{{#staticFileLink}}11129785487,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}11129785487,RESIZE_400x{{/staticFileLink}}" width="400" alt="11129785487?profile=RESIZE_400x" /></a>There are several themes represented by the subject lines seen. Specifically, we can see stock and quote requests, arrival notifications, and bill of lading notifications. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see a Persian home supply store, transportation and logistics companies, and a Japanese home supply manufacturer.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<ul>
<li>Good Luck I (pictured below), which is a bulk carrier currently en route to ID TKN and is sailing under the flag of Liberia</li>
<li>Ru Yi II (pictured to the right), which is a general cargo ship currently en route to Balikpapan, Indonesia and is sailing under the flag of Singapore</li>
<li>Ultra Margay, which is a bulk carrier currently en route to the port of Singapore and is sailing under the flag of Singapore</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>Outbreak – Ikarus</li>
<li>Gen:Mail.Stacked.3.20 (B) – Emsisoft</li>
<li>NSIS.Agent – Ikarus</li>
<li>Mal/DrodRar-AIC – Sophos</li>
<li>Troj/RTFDl-CJA - Sophos</li>
</ul>
<p><a href="{{#staticFileLink}}11129788699,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11129788699,RESIZE_400x{{/staticFileLink}}" width="400" alt="11129788699?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>These emails are typically used for the propagation of generic trojans and their variants, such as those listed above. Win32.Outbreak trojans tend to act as “backdoors” and allow for the remote control of machines. We have been seeing detections of this since 2016, with the heaviest activity from mid-2017 to mid-2018. The number of recent detections is significantly lower by comparison. Gen:Mail.Stacked.3.20 we have only been seeing since May of last year. Trojan.NSIS.Agent and Mal/DrodRar-AIC are returning detections from previous reports. Trojan.NSIS.Agent we have been seeing since early 2021, while Mal/DrodRar-AIC we have been seeing since late 2020. Troj/RTFDl-CJA is a relatively new detection that we have been seeing since late 2022 and can also be identified as HEUR:Exploit.MSOffice.CVE-2018-0802.gen which is in relation to a vulnerability in Microsoft Office software from 2018 that allows remote code execution.</p>
<p> </p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>Invoices - CAM006 - Run Number 465 - 2 Invoice(s) Processed</li>
<li>April invoice</li>
<li>DHL Delivery Confirmation and Invoice Receipt</li>
<li>AutoPacific NZ Invoice – 339609</li>
<li>Purchase order</li>
</ul>
<p>Much like maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails. Most prevalently in the last month, we can see invoices, purchase orders and delivery confirmations. In terms of the sending emails, we can see Intuit order summaries, vehicle accessory manufacturers, personal iCloud addresses, a New Zealand pipe manufacturer, temperature sensing and instrumentation manufacturers, shipping companies, and a Methodist church.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTML.Doc – Ikarus</li>
<li>HTML/Phish.GEJ – Cyren</li>
<li>JS.Downloader.ulcha – Sangfor</li>
<li>HEUR:Trojan.Script.Generic – ZoneAlarm</li>
<li>JS/Phish.AEV!Eldorado – Cyren</li>
</ul>
<p>As mentioned in previous reports, detections found in more general supply chain related emails tend to exhibit more focus on phishing malware, as we can see above. Many of these are repeat detections from previous reports, such as Phishing.HTML.Doc, which we have been seeing since 2016. HTML/Phish.GEJ is a relatively new detection that we have been seeing since late 2022. This specific detection is representative of a phishing page intending to steal Microsoft account credentials. Trojan.JS.Downloader.ulcha we have only been seeing the last couple of months and it represents a generic downloader trojan, which is intended to download more malicious software onto its infected machine. HEUR:Trojan.Script.Generic we have been seeing since early 2017 and JS/Phish.AEV!Eldorado is another recent detection that we have only been seeing since March.</p>
<p><a href="{{#staticFileLink}}11129786268,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}11129786268,RESIZE_710x{{/staticFileLink}}" width="600" alt="11129786268?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}11129786481,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}11129780254,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11129780254,RESIZE_400x{{/staticFileLink}}" width="400" alt="11129780254?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation & Supply Chain Spoofing / April 2023https://redskyalliance.org/transportation/vessel-impersonation-supply-chain-spoofing-april-20232023-04-20T20:55:40.000Z2023-04-20T20:55:40.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}11030742296,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11030742296,RESIZE_400x{{/staticFileLink}}" alt="11030742296?profile=RESIZE_400x" width="250" /></a>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. Full report download available <a href="{{#staticFileLink}}11030744880,original{{/staticFileLink}}">here.</a></p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><a href="{{#staticFileLink}}11030742860,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11030742860,RESIZE_710x{{/staticFileLink}}" alt="11030742860?profile=RESIZE_710x" width="650" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><em><a href="{{#staticFileLink}}11030743252,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}11030743252,RESIZE_584x{{/staticFileLink}}" alt="11030743252?profile=RESIZE_584x" width="450" /></a></em></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}11030743278,original{{/staticFileLink}}"><img src="{{#staticFileLink}}11030743278,RESIZE_584x{{/staticFileLink}}" alt="11030743278?profile=RESIZE_584x" width="450" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}11030743670,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}11030743670,RESIZE_710x{{/staticFileLink}}" alt="11030743670?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;"><em>Figure 3. Distribution of attacker and target domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}11030743884,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}11030743884,RESIZE_710x{{/staticFileLink}}" alt="11030743884?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}11030744855,original{{/staticFileLink}}">Full table attached.</a></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>Jiangsu Haibang Freight entrusts EM23001 CIF LCB FIRST THAILAND to send Foster materials to Thailand</li>
<li>Maersk : Arrival Notice ready for Bill of Lading 209530072.</li>
<li>RE: Re: DRAFT BL _INV_SHIPPING DOCUMENT// INVOICE NO: Container Shipping_CUSTOMS DETAILS</li>
<li>Your Transport Plan has Changed – Maersk</li>
<li>RE: VSL: MV ASIA EMERALD II, ORDER: AHOC-A77180011E</li>
</ul>
<p><a href="{{#staticFileLink}}11030745056,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11030745056,RESIZE_400x{{/staticFileLink}}" alt="11030745056?profile=RESIZE_400x" width="250" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see shipping notifications, invoice notifications, itinerary change requests, and order notices. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see Chinese email providers, shipping account software companies, logistics companies, an Indonesian commodities exporter, and a Middle Eastern shipping agency.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<p> </p>
<ul>
<li>Indigo Flora (pictured above), which is a bulk carrier that is currently located at Puerto Quetzal Anch and is sailing under the flag of Marshall Islands</li>
<li>Strategic Spirit (pictured below), which is a bulk carrier that is currently en route to Pisco, Peru and is sailing under the flag of Singapore</li>
<li>Aquajoy, which is a bulk carrier that is currently en route to Balboa, Panama and is sailing under the flag of Panama</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>HTML/FakeLogin.A!phish – Fortinet</li>
<li>EXP/CVE-2017-0199.Gen - F-Secure</li>
<li>Trojan[Phishing]/HTML.Phish - Antiy-AVL</li>
<li>Gen:NN.ZemsilF.36132.5m0@au312Nh – BitDefenderTheta</li>
<li>Zmutzy.1081 – BitDefender</li>
</ul>
<p><a href="{{#staticFileLink}}11030745257,RESIZE_710x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}11030745257,RESIZE_400x{{/staticFileLink}}" alt="11030745257?profile=RESIZE_400x" width="250" /></a>These emails are typically used for the propagation of generic trojans and their variants, such as Trojan.Zmutzy.1081 and Gen:NN.ZemsilF.36132.5m0@au312Nh. Although, there are some clear detections of phishing malware such as HTML/FakeLogin.A!phish and Trojan[Phishing]/HTML.Phish. HTML.Phish variants we have been seeing off and on since late 2019, while FakeLogin.A!phish is a relatively new detection that we have been seeing since late 2022. The Exploit.EXP/CVE-2017-0199 detection is representative of a malware which allows for remote code execution by exploiting Microsoft Office files. We have been seeing this detection off and on since mid-2019, but recent months have experienced higher levels of detection than previously seen.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag where it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of the countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong>: In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>MAURI anz Tax Invoice 106339611 1182600 20230321</li>
<li>AIR WAY BILL - INVOICE AND PACKING LIST</li>
<li>FedEx Billing - Invoice Ready for Payment</li>
<li>DHL TRACKING NUMBER // ORIGINAL SCAN DOCUMENTS // VERIFY BL COPY FOR CHECKING // SHIPMENT ADVISE AGAINST OUR CONTRACT NO- WGCBD-141-21/22 (02X40\" 28LBS/1PLY)</li>
<li>(2) Invoice Payment</li>
</ul>
<p> </p>
<p><a href="{{#staticFileLink}}11030745274,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}11030745274,RESIZE_710x{{/staticFileLink}}" alt="11030745274?profile=RESIZE_710x" width="650" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}11030745289,original{{/staticFileLink}}">Full table attached.</a></p>
<p>Much like maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails. Specifically, we can see invoices, packaging lists, payment requests, and tracking notifications. In terms of the sending emails, we can see Penn State University, the Houston Botanic Garden, Cambodian financial institutions, biofuel manufacturers, and shipping companies.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTML.Doc – Ikarus</li>
<li>Other:SNH-gen [Phish] – Avast</li>
<li>HTML.PHISH.SMJM3 – TrendMicro</li>
<li>DownLoader45.50863 – DrWeb</li>
<li>HEUR:Trojan.Script.Generic - Kaspersky</li>
</ul>
<p>Supply chain email detections will tend to have a focus on phishing malware, as we see with Phishing.HTML.Doc, Other:SNH-gen, and Trojan.HTML.PHISH.SMJM3. Phishing malware will generally manifest as fraudulent emails, web pages, or other software for the purpose of luring the user into exposing personal information like usernames, passwords, or even financial information. Detections of Phishing.HTML.Doc we have been seeing since mid-2017, but this detection has been exhibiting a resurgence in the last year, with a heavy spike of detections occurring in July 2022. Other:SNH-gen we have been seeing since early 2021, with similarly heavy activity in the summer of last year. Trojan.HTML.PHISH.SMJM3 is a newer detection that we have only been seeing in the last couple of months. Trojan.DownLoader45.50863 and HEUR:Trojan.Script.Generic are representative of generic trojans as discussed above.</p>
<p><strong>Closing</strong>: These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up cyber-attacks targeting larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall victim to a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}11030742264,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11030742264,RESIZE_400x{{/staticFileLink}}" alt="11030742264?profile=RESIZE_400x" width="350" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports). For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p>Weekly Cyber Intelligence Briefings: </p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation & Supply Chain Spoofing / March 2023https://redskyalliance.org/transportation/vessel-impersonation-supply-chain-spoofing-march-20232023-03-17T20:31:45.000Z2023-03-17T20:31:45.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}10999205498,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10999205498,RESIZE_400x{{/staticFileLink}}" width="250" alt="10999205498?profile=RESIZE_400x" /></a>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. Full report download available <a href="{{#staticFileLink}}10999213489,original{{/staticFileLink}}">here.</a></p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><strong><a href="{{#staticFileLink}}10999206253,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10999206253,RESIZE_710x{{/staticFileLink}}" width="700" alt="10999206253?profile=RESIZE_710x" /></a></strong></p>
<p> </p>
<p style="text-align:center;"><strong><a href="{{#staticFileLink}}10999205884,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10999205884,RESIZE_584x{{/staticFileLink}}" width="500" alt="10999205884?profile=RESIZE_584x" /></a></strong></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}10999206288,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10999206288,RESIZE_584x{{/staticFileLink}}" width="500" alt="10999206288?profile=RESIZE_584x" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}10999206095,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10999206095,RESIZE_584x{{/staticFileLink}}" width="500" alt="10999206095?profile=RESIZE_584x" /></a></em></p>
<p style="text-align:center;"><em>Figure 3. Distribution of attacker and target domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}10999206879,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10999206879,RESIZE_710x{{/staticFileLink}}" width="600" alt="10999206879?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <strong> <a href="{{#staticFileLink}}10999206683,original{{/staticFileLink}}">Full table attached.</a></strong></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>Urgent offer - Include freight price to - (Northern Orange County, California)</li>
<li>VSL: MV WINNING OCEAN, ORDER: MAR-A0303B</li>
<li>RE:SOA Ocean Bright Logistics.</li>
<li>M/V MODY M - DISCHARGING SALT IN BULK 9820 MT - PORT PDA</li>
<li>NEED URGENT PDA FOR DISCHARGING 36,000 MT BAGGED SUGAR</li>
</ul>
<p><a href="{{#staticFileLink}}10999207896,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10999207896,RESIZE_400x{{/staticFileLink}}" width="327" alt="10999207896?profile=RESIZE_400x" /></a></p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see order invoices, itinerary status notifications, and discharge requests. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see ship management and logistics companies in this month’s data, but common impersonations may include shipping and transport companies along with businesses in a wide range of areas like home building or universities, or even government entities.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<p> </p>
<ul>
<li>Winning Ocean (pictured above), which is a bulk carrier that is “currently en route to Fangcheng, China” and is sailing under the flag of Liberia.</li>
<li>Sun Grace, which is a bulk carrier that is “currently en route to Shanghai, China” and is sailing under the flag of Korea.</li>
<li>Spinnaker SW (pictured below), which is a bulk carrier that is “currently en route to Zhangzhou, China” and is sailing under the flag of Panama.</li>
<li>SCSC Luck, which is a general cargo ship that is “currently en route to Lubuk Gaung, Indonesia” and is sailing under the flag of Hong Kong.</li>
<li>Oak Harbour, which is a bulk carrier that is “currently en route to Dalian Anchorage” and is sailing under the flag of Hong Kong.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>Win32:PWSX-gen [Trj] – AVG</li>
<li>HEUR:Trojan.Script.Generic – ZoneAlarm</li>
<li>OLE:CVE-2017-11882-B [Expl] – Avast</li>
<li>Gen:Variant.Babar.161191 – BitDefender</li>
<li>Gen:Variant.MSILKrypt.4 - BitDefender</li>
</ul>
<p><a href="{{#staticFileLink}}10999207288,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10999207288,RESIZE_400x{{/staticFileLink}}" width="316" alt="10999207288?profile=RESIZE_400x" /></a></p>
<p>These emails are typically used for the propagation of generic trojans and their variants, like we see with Win32:PWSX-gen, HEUR:Trojan.Script.Generic, Gen:Variant.Babar.161191, and Gen:Variant.MSILKrypt.4. MSILKrypt variants we have been seeing since early 2017. These malware strains are generally noted for their information stealing and keylogging functions. Babar variants we have been seeing since 2018. Curiously, the appearance of this detection occurs most often during the summer months. We have seen a relatively steady level of Win32:PWSX-gen detections since 2018. CVE-2017-11882 related detections we have been seeing since the summer of 2019, but the heaviest level of activity did not begin until summer of 2021. This CVE relates to a memory vulnerability in the equation editor for older versions of Microsoft Office which could be exploited to enable remote code execution.</p>
<p><strong>Vessel Flag of Convenience</strong> – All shipping size vessels which fall under international law, must fly a country flag were it is registered. The flag of convenience (FOC) is the system that allows the vessel owners to avoid burdensome international legal regulations. When the ships are involved in this system, they are not connected to the laws of countries where they are registered. The top five (5) flag states with the largest number of registered vessels are: Panama, Liberia, Marshall Islands, Hong Kong and Singapore.<a href="#_ftn1">[1]</a> </p>
<p><strong>Supply Chain Spoofing</strong></p>
<p>In 2023, our analyst began looking into the transportation supply chain, as often these transportation companies are used to gain cyber access to valuable targets. Maritime shipping is just one portion of the entire commercial transportation supply chain. By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>Invoice 1923119-6 (S/O Client No: 198943) From Active Electrical</li>
<li>New DHL Shipment Document Arrival Notice / Shipping Documents / Original BL, Invoice & Packing List</li>
<li>Customer Invoice - CAUC2135354</li>
<li>purchase order</li>
<li>DHL TRACKING NUMBER // ORIGINAL SCAN DOCUMENTS // VERIFY BL COPY FOR CHECKING // SHIPMENT ADVISE AGAINST OUR CONTRACT NO- WGCBD-141-21/22 (02X40\" 28LBS/1PLY)</li>
</ul>
<p> </p>
<p><a href="{{#staticFileLink}}10999211274,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10999211274,RESIZE_710x{{/staticFileLink}}" width="600" alt="10999211274?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10999211291,original{{/staticFileLink}}">Full table attached.</a></p>
<p>Much like the maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails. Specifically, we can see invoices, shipment and delivery notifications, packaging lists, and purchase orders. In terms of the sending emails, we can see the attempted impersonation or spoofing of a variety of different senders, such as office supply stores, a European commercial bank, shipping companies, the Highlands County Florida webpage, derivatives clearing organizations, and Kuwaiti heavy machinery suppliers.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTML.Doc – Ikarus</li>
<li>HEUR:Trojan.Script.Generic – ZoneAlarm</li>
<li>HTMLUnescape – Zoner</li>
<li>Script.GenericKDZ.20934 – BitDefender</li>
<li>HTML:PhishingMS-AHK [Phish] - AVG</li>
</ul>
<p>Continuing with what was noticed in the last report, this month’s supply chain detections have a clear focus on propagating phishing malware. Some of the detections listed are repeat detections from last month, including Phishing.HTML.Doc and Heur.HTMLUnescape. These malware will manifest as fraudulent emails, web pages, or other software for the purpose of luring the user into exposing personal information like usernames, passwords, or even financial information. HTML:PhishingMS-AHK is a slight variant to a detection we noted last month (HTML:PhishingMS-AHN), which we have only been seeing since September of 2022. Trojan.Script.GenericKDZ detections we have been seeing since the summer of 2020.</p>
<p><strong>Closing</strong></p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}10999211856,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10999211856,RESIZE_400x{{/staticFileLink}}" width="400" alt="10999211856?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel impersonation for over 5 years (and maintain historical reports) . For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://naylorlaw.com/blog/flag-of-convenience/">https://naylorlaw.com/blog/flag-of-convenience/</a></p></div>Vessel Impersonation & Supply Chain Spoofing / February 2023https://redskyalliance.org/transportation/vessel-impersonation-supply-chain-spoofing-february-20232023-02-21T21:22:15.000Z2023-02-21T21:22:15.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}10971069090,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10971069090,RESIZE_400x{{/staticFileLink}}" alt="10971069090?profile=RESIZE_400x" width="250" /></a></p>
<p> </p>
<p>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. Full report download available <a href="{{#staticFileLink}}10971069659,original{{/staticFileLink}}">here</a>.</p>
<p> </p>
<p> </p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><em><a href="{{#staticFileLink}}10971069101,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10971069101,RESIZE_710x{{/staticFileLink}}" alt="10971069101?profile=RESIZE_710x" width="700" /></a> </em></p>
<p><em> </em></p>
<p><em> </em></p>
<p><em> </em></p>
<p><em> </em></p>
<p><em> </em></p>
<p><em><a href="{{#staticFileLink}}10971069686,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10971069686,RESIZE_710x{{/staticFileLink}}" alt="10971069686?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}10971070061,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10971070061,RESIZE_710x{{/staticFileLink}}" alt="10971070061?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}10971070478,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10971070478,RESIZE_710x{{/staticFileLink}}" alt="10971070478?profile=RESIZE_710x" width="600" /></a></em><em>Figure 3. Distribution of attacker and target domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10971072074,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10971072074,RESIZE_710x{{/staticFileLink}}" alt="10971072074?profile=RESIZE_710x" width="600" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10971072489,original{{/staticFileLink}}">Full table attached</a>.</p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>VSL: VM Accord, ORDER: TKHA-A88160011B</li>
<li>Your Transport Plan has Changed – Maersk</li>
<li>MV WOOHYUN TBN / PDA & PORT INFO FOR LOADING LIME STONE</li>
<li>Golden Bright - Agency appointment and request info to discharge</li>
<li>MV JIA HONG S23001C - DISCHARG STEEL PRODUCT AND EQUIPMENT // AGENT</li>
</ul>
<p><a href="{{#staticFileLink}}10971070874,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10971070874,RESIZE_400x{{/staticFileLink}}" alt="10971070874?profile=RESIZE_400x" width="250" /></a></p>
<p> </p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see order invoices, itinerary status notifications, and discharge requests. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see heavy machinery rental companies, shipping agencies, transport companies, home builders, universities, and even an Indonesian theme park.</p>
<p> </p>
<p> </p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<ul>
<li>Agia Eirini Force (pictured at the beginning of this report), a bulk carrier which is currently en route to VN HON and sailing under the flag of Marshall Islands.</li>
<li>Union Groove (pictured above), a bulk carrier which is currently en route to Chimbote, Peru and sailing under the flag of Marshall Islands.</li>
<li>Bellight, a bulk carrier current located at the port of Gdansk Anch., Poland and sailing under the flag or Norway.</li>
<li>Spirit of Lisbon, a container ship currently en route to Davao, Philippines and sailing under the flag of Marshall Islands.</li>
<li>Common Calypso, a bulk carrier currently en route to CI NIO and sailing under the flag of Greece.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>UDS:Trojan-Spy.Win32.Noon.gen – Kaspersky</li>
<li>Trojan:Win32/Leonem – Microsoft</li>
<li>NSISX.Spy.Gen.24 – ALYac</li>
<li>Mal/DrodRar-AIC – Sophos</li>
<li>Garf.Gen.6 - FireEye</li>
</ul>
<p>The Trojan-Spy family of trojans we have been seeing since March of 2021, with the heaviest activity being in April and May. These trojans are generally known for either acting as a keylogger or attempting to steal credentials from browsers on the victim’s machine. As we have noted before, these emails are typically used for the propagation of generic trojans and their variants. The Win32/Leonem identifier specifically we have been seeing since last summer, with heavy activity in July of 2022. NSISX.Spy variants we have been seeing since late 2021, with the heaviest activity being in January and February of 2022. Trojan.Garf variants can also be detected as NSISX.Spy variants. Mal/DrodRar-AIC is a return detection from the previous reports. Mal/DrodRar-AIC is a file infector that we have been seeing since late 2020. File infector malware is a type of malware that is capable of infecting files for the sake of spreading to other systems. Malicious code is attached to a variety of files (.exe, .dll, .sys, etc.) and this type of malware is often used for delivering payloads of downloading other malware.</p>
<p><strong>Supply Chain Spoofing</strong></p>
<p>By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>Invoice 767968 from TOTAL OFFICE NATIONAL</li>
<li>Invoice INV-6830</li>
<li>Invoice reconciliation</li>
<li>Invoice L12217 dated 17/01/2023 from LEP Engineering Plastics Ltd</li>
<li>Mainstream New Zealand Limited Invoice - PDF for Invoice# 471299</li>
</ul>
<p>Much like the maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails. Specifically, we can see invoices, shipment and delivery notifications, packaging lists, and purchase orders. In terms of the sending emails, we can see the attempted impersonation or spoofing of a variety of different senders, such as shipping companies, trading companies, logistics and distribution companies, travel curation companies, asset management organizations, a French magazine, and even an apartment management company in Jakarta. </p>
<p> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10971071864,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10971071864,RESIZE_710x{{/staticFileLink}}" alt="10971071864?profile=RESIZE_710x" width="600" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10971071490,original{{/staticFileLink}}">Full table attached</a>.</p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HTMLUnescape – Zoner</li>
<li>HTML:PhishingMS-AHK [Phish] – Avast</li>
<li>HTML.Doc – Ikarus</li>
<li>HTML:PhishingMS-AHN [Phish] – AVG</li>
<li>JS/Phishing.XYZ!tr - Fortinet</li>
</ul>
<p>This month’s supply chain detections are demonstrating a clear focus on phishing malware. Much of the time, these will manifest as fraudulent emails, web pages, or other software for the purpose of luring the user into exposing personal information like usernames, passwords, or even financial information. Heur.HTMLUnescape we have been seeing since early 2020. HTML:Phishing variants we have been seeing since 2016, with notable heavy activity in the spring of 2021. Then, as one might expect it is not uncommon to see generic trojan detections like JS/Phishing.XYZ!tr. We have been seeing JS/Phishing off and on since late 2016, with the highest number of observations occurring in summer 2022.</p>
<p><strong>Closing</strong></p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p> </p>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}10971069068,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10971069068,RESIZE_400x{{/staticFileLink}}" alt="10971069068?profile=RESIZE_400x" width="300" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel imprtation for over 5 years. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p></div>Vessel Impersonation & Supply Chain Spoofing / January 2023https://redskyalliance.org/transportation/vessel-impersonation-supply-chain-spoofing-january-20232023-01-17T20:59:44.000Z2023-01-17T20:59:44.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><strong><a href="{{#staticFileLink}}10944152087,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10944152087,RESIZE_400x{{/staticFileLink}}" alt="10944152087?profile=RESIZE_400x" width="250" /></a></strong></p>
<p> </p>
<p>Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain. Full report download available <a href="{{#staticFileLink}}10944153659,original{{/staticFileLink}}">here.</a></p>
<p> </p>
<p> </p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><strong><a href="{{#staticFileLink}}10944152453,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10944152453,RESIZE_710x{{/staticFileLink}}" alt="10944152453?profile=RESIZE_710x" width="710" /></a></strong></p>
<p><em> </em></p>
<p><em> </em></p>
<p><em> </em></p>
<p><em> </em></p>
<p><em> </em></p>
<p><em> <a href="{{#staticFileLink}}10944151658,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10944151658,RESIZE_710x{{/staticFileLink}}" alt="10944151658?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p><em><a href="{{#staticFileLink}}10944151277,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10944151277,RESIZE_710x{{/staticFileLink}}" alt="10944151277?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p><em><a href="{{#staticFileLink}}10944150893,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10944150893,RESIZE_710x{{/staticFileLink}}" alt="10944150893?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;"><em>Figure 3. Distribution of attacker and target domains</em></p>
<p><em><a href="{{#staticFileLink}}10944151058,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10944151058,RESIZE_710x{{/staticFileLink}}" alt="10944151058?profile=RESIZE_710x" width="600" /></a></em></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10944150294,original{{/staticFileLink}}">Full Table Attached.</a></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>Shipment & Container Tracking - Maersk-Info</li>
<li>RE: Air freight from EXW China</li>
<li>(PDA ENQUIRY)MV RMC - DISCHARGE ABT 52000MT +- 10% PETCOKE</li>
<li>PUSH INQUIRY FOR MV TRUMP SW</li>
<li>MV SEA DREAM / LOADING ALUMINA - AGENT NOMINATION</li>
</ul>
<p><a href="{{#staticFileLink}}10944152858,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10944152858,RESIZE_400x{{/staticFileLink}}" alt="10944152858?profile=RESIZE_400x" width="300" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see shipping and tracking notifications, freight notifications, proforma disbursement inquiries, and loading notifications. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see port groups associated with Singapore and Antwerp, port network operators, and transport companies.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<p> </p>
<p> </p>
<ul>
<li>Efendi Baba, which is a container ship that has not been in service since 2017</li>
<li>Kai Jie, which is a general cargo ship that is en route to HK CN and is currently sailing under the flag of Hong Kong</li>
<li>Kharis Pegasus (pictured at beginning of report), which is a general cargo ship en route to Hong Kong and is currently sailing under the flag of Korea</li>
<li>Trump SW, which is a bulk carrier en route to Cua Lo and is currently sailing under the flag of Panama</li>
<li>Sevval (pictured above), which is a general cargo ship en route to Volos, Greece and is currently sailing under the flag of Vanuatu.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>W32/MSIL_Kryptik.INW.gen!Eldorado – Cyren</li>
<li>Phishing.44391 - CAT-QuickHeal</li>
<li>MSIL/Kryptik.AHBB!tr – Fortinet</li>
<li>Gen:Variant.Lazy.272801 – FireEye</li>
<li>JS:Trojan.Cryxos.8250 - VIPRE</li>
</ul>
<p>MSIL variant trojans are among the most spotted detections, much like previous months. We have been seeing these trojan variants since 2018. This family of trojans tends to manifest as software meant for stealing passwords from web browsers or logging keystrokes. As we generally note, these emails are generally used to attempt the propagation of generic trojans like Gen:Variant.Lazy.272801. Trojans marked with the Gen:Variant.Lazy indicator we have been seeing for approximately one year, with a heavy detection rate during July of 2022. We have only been seeing emails associated with HTML.Phishing.44391 since early 2022. HTML.Phishing variant trojans are often associated with browser manipulations that force redirects to malicious web pages. Cryxos variant trojans we have been seeing in malicious emails for several years. These types of trojans are typically associated with fraudulent messages being displayed to users regarding browser “blockage” and attempting to get users to call fraudulent customer support lines.</p>
<p><strong>Supply Chain Spoofing</strong></p>
<p>By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails. The five most prevalent subject lines seen with a general supply chain focus are as follows:</p>
<ul>
<li>Shipment Confirmation:Final Invoice,Packing List & BL Has arrived</li>
<li>DHL Shipping Document/Invoice Receipt</li>
<li>Re RE: Commercial Invoice And Packing List</li>
<li>QUOTE ATTACHED PURCHASE ORDER</li>
<li>Invoice</li>
</ul>
<p>Much like the maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails. Specifically, we can see requests for shipping confirmation, invoice notifications, purchase orders and packaging lists. In terms of impersonation or spoofing, we can see obvious links to shipping companies like DHL, along with international logistics management providers, tool manufacturers, automotive logistics providers, freight forwarders, and even a Pennsylvania-based law firm.</p>
<p><a href="{{#staticFileLink}}10944149100,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10944149100,RESIZE_710x{{/staticFileLink}}" alt="10944149100?profile=RESIZE_710x" width="600" /></a></p>
<p style="text-align:center;">Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10944149659,original{{/staticFileLink}}">Full Table Attached.</a></p>
<p>The five most prevalent detections associated with these emails are as follows:</p>
<ul>
<li>HEUR:Hoax.HTML.Phish.gen – Kaspersky</li>
<li>FishForm.408 – DrWeb</li>
<li>HTML.Doc – Ikarus</li>
<li>JS:Trojan.Cryxos.10614 – FireEye</li>
<li>Trojan.44094 - CAT-QuickHeal</li>
</ul>
<p>As one might expect, we also see generic trojan types like Script.Trojan.44094 being propagated with these emails. We have been seeing Script.Trojan variants in these emails since late 2021, but it is worth noting here that some of these variants will also be identified similarly to Cryxos or HTML.Phishing variants depending on the provider. HEUR:Hoax.HTML.Phish.gen detections we have been seeing since the latter half of 2020, with heavy detection rates in early 2021. This detection is typically associated with phishing attacks, whereby an attacker attempts to obtain username and password information via fraudulent HTML. The remaining detections listed are similar in nature to the HTML.Phishing class of trojans listed above. </p>
<p><strong>Closing</strong></p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter. </p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the <em>Transportation Supply Chain</em>. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance </strong></p>
<p><a href="{{#staticFileLink}}10944148692,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10944148692,RESIZE_400x{{/staticFileLink}}" alt="10944148692?profile=RESIZE_400x" width="350" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. <em>All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny</em>.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. We have been tracking vessel imprtation for over 5 years. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting:<a href="https://www.redskyalliance.org/"><strong> https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a><strong><u> </u></strong></li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p></div>Motor Vessel (MV) & Motor Tanker (MT) Impersonation / December 2022https://redskyalliance.org/transportation/motor-vessel-mv-motor-tanker-mt-impersonation-december-20222022-12-15T20:57:27.000Z2022-12-15T20:57:27.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}10911248098,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10911248098,RESIZE_400x{{/staticFileLink}}" width="250" alt="10911248098?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, and ports. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.</p>
<p> </p>
<p> </p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><a href="{{#staticFileLink}}10911247884,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10911247884,RESIZE_710x{{/staticFileLink}}" width="600" alt="10911247884?profile=RESIZE_710x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><a href="{{#staticFileLink}}10911247894,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10911247894,RESIZE_584x{{/staticFileLink}}" width="500" alt="10911247894?profile=RESIZE_584x" /></a></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em> <a href="{{#staticFileLink}}10911248257,RESIZE_1200x{{/staticFileLink}}"><img src="{{#staticFileLink}}10911248257,RESIZE_584x{{/staticFileLink}}" width="500" alt="10911248257?profile=RESIZE_584x" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p> </p>
<p><a href="{{#staticFileLink}}10911247098,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10911247098,RESIZE_584x{{/staticFileLink}}" width="500" alt="10911247098?profile=RESIZE_584x" /></a></p>
<p style="text-align:center;"><em>Figure 3. Distribution of attacker and target domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10911246699,RESIZE_1200x{{/staticFileLink}}"><img src="{{#staticFileLink}}10911246699,RESIZE_584x{{/staticFileLink}}" width="500" alt="10911246699?profile=RESIZE_584x" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10911245894,original{{/staticFileLink}}">Full table attached.</a></p>
<p> </p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>B/L-DOCUMENT FROM MAERSK-LINE LOGISTICS</li>
<li>invoice 80022# - international offshore services jsc</li>
<li>MV PROPEL TBN // URGENT PDA REQUEST TO DISCHARGE STEEL</li>
<li>Port Info + PDA for discharging 26000Mt fertilizer</li>
<li>SISIN221200004 // LCL / SAVOUR & SPICE / FROM NZ TO SIN</li>
</ul>
<p><a href="{{#staticFileLink}}10911245852,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10911245852,RESIZE_400x{{/staticFileLink}}" width="271" alt="10911245852?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see document notifications, invoices, expense estimates for deliveries, along with shipping notifications and requests. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see logistics companies, maritime project management companies, shipping companies, warehousing providers, water desalination companies, and even a Japanese toy company that focuses on emotional support products.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<p> </p>
<ul>
<li>DS Prosperity 7 (pictured at the beginning of this report), a general cargo ship, currently en route to Ho Chi Minh City and is sailing under the flag of Panama.</li>
<li>Amal II (pictured above), a general cargo ship, currently en route to Massawa and is sailing under the flag of Palau.</li>
<li>Joyful Resource, a general cargo ship, currently located at Bangkok and is sailing under the flag of Panama.</li>
<li>Trawind Wisdom, a bulk carrier, recently departed from Fangcheng and is sailing under the flag of Panama.</li>
<li>Nordic Oslo, a bulk carrier, current located at Portland and is sailing under the flag of Liberia.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>UDS:Trojan-Spy.MSIL.Noon.gen - ZoneAlarm</li>
<li>HEUR:Trojan-Spy.MSIL.Noon.gen – Kaspersky</li>
<li>Gen:Variant.Lazy.260788 – VIPRE</li>
<li>Mal/DrodRar-AIC - Sophos</li>
<li>Gen:Mail.Smite.65 - BitDefender</li>
</ul>
<p>The MSIL class of trojans we have been seeing since 2018. Each of the variants listed experienced some growth starting in April of 2020 and have remained relatively consistent in their detection rate. This family of trojans tends to manifest as software meant for stealing passwords from web browsers or logging keystrokes. As noted in previous reports, these emails are commonly seen attempting to propagate generic trojans like Gen:Variant.Lazy.260788. Trojans marked with the Gen:Variant.Lazy indicator we have been seeing for approximately one year, with a heavy detection rate during July of 2022. Mal/DrodRar-AIC is a return detection from the previous month’s report, but with a lowered detection rate. Mal/DrodRar-AIC is a file infector that we have been seeing since late 2020. File infector malware is a type of malware that is capable of infecting files for the sake of spreading to other systems. Malicious code is attached to a variety of files (.exe, .dll, .sys, etc.) and this type of malware is often used for delivering payloads of downloading other malware.</p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.</p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p> </p>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}10911245083,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10911245083,RESIZE_400x{{/staticFileLink}}" width="400" alt="10911245083?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a></li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p>
<p> </p>
<p> </p></div>Motor Vessel (MV) & Motor Tanker (MT) Impersonation / November 2022https://redskyalliance.org/transportation/motor-vessel-mv-motor-tanker-mt-impersonation-november-20222022-11-18T19:19:37.000Z2022-11-18T19:19:37.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><strong><a href="{{#staticFileLink}}10886962494,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10886962494,RESIZE_400x{{/staticFileLink}}" width="250" alt="10886962494?profile=RESIZE_400x" /></a></strong></p>
<p> </p>
<p>Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, and ports. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.</p>
<p> </p>
<p style="text-align:center;"><strong>Significant Vessel Keys Words:</strong></p>
<p><a href="{{#staticFileLink}}10886962297,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10886962297,RESIZE_710x{{/staticFileLink}}" width="710" alt="10886962297?profile=RESIZE_710x" /></a></p>
<p><em> </em></p>
<p><em><a href="{{#staticFileLink}}10886962682,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10886962682,RESIZE_584x{{/staticFileLink}}" width="450" alt="10886962682?profile=RESIZE_584x" /></a></em></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"> </p>
<p><em><a href="{{#staticFileLink}}10886963268,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10886963268,RESIZE_584x{{/staticFileLink}}" width="450" alt="10886963268?profile=RESIZE_584x" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p style="text-align:center;"> </p>
<p><em><a href="{{#staticFileLink}}10886963473,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10886963473,RESIZE_710x{{/staticFileLink}}" width="600" alt="10886963473?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em> </em><em>Figure 3. Distribution of attacker and target domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}10886964053,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10886964053,RESIZE_710x{{/staticFileLink}}" width="600" alt="10886964053?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em> </em>Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10886964080,original{{/staticFileLink}}">Full Table Attached</a><strong>.</strong></p>
<p> </p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>Material For shipment / Maersk-Line-Logistic</li>
<li>VSL: VALADON, QUOTATION</li>
<li>Maersk : Arrival Notice ready for Bill of Lading 209530072.</li>
<li>MV CMA CGM THALASSA - DG TC ABB TPL65-A10</li>
<li>SEA SHIPMENT</li>
</ul>
<p> <a href="{{#staticFileLink}}10886963700,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10886963700,RESIZE_400x{{/staticFileLink}}" width="300" alt="10886963700?profile=RESIZE_400x" /></a></p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see notices of container arrivals, vessel communications, along with shipping notifications and requests. These emails are seen to utilize common terminology in order to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see Bulgarian freight transport companies, Vietnamese logistics companies, telecommunications companies, Chinese email providers, the Polish Mountaineering Association, and Russian tailoring services.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<p> </p>
<ul>
<li>CMA CGM Thalassa (pictured at the beginning of this report), a container ship en route to Panama Canal, sailing under the flag of Malta.</li>
<li>Sun Unity (pictured above), a cargo ship en route toe FJHD Shipyard, sailing under the flag of Panama.</li>
<li>Chailease Cherise, a bulk carrier en route to Tanjung Bara, sailing under the flag of Liberia.</li>
<li>SNP Sky, a cargo ship en route to Novorossiysk, sailing under the flag of Vanuatu.</li>
<li>Yin Fu, a bulk carrier en route to Shanghai, sailing under the flag of China.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>Gen:Variant.Lazy.253409 (B) – Emsisoft</li>
<li>JS:Trojan.Cryxos.10054 - Ad-Aware</li>
<li>Win32:PWSX-gen [Trj] – Avast</li>
<li>Mal/DrodRar-AIC – Sophos</li>
<li>Win32/Injector.ESFA - ESET-NOD32</li>
</ul>
<p>Commonly, these emails are seen attempting to propagate generic trojans like Gen:Variant.Lazy.253409, Win32:PWSX-gen, or Win32/Injector.ESFA. Trojans marked with the Gen:Variant.Lazy indicator we have been seeing for approximately one year, with a heavy detection rate during July of 2022. Win32:PWSX we have been seeing since August of 2018. “Generic” trojans can have a wide range of applications, such as hindering user activity, collecting machine and user information, or potentially downloading other malware. Others can be more flamboyant about their activities like JS:Trojan.Cryxos, which is known to interrupt user activity and claim that browsers are “locked” and user information is being “stolen” in an attempt to get the user to call a fake customer support number for assistance. We have been seeing Cryxos trojan detections since 2016, most prominently during the summer of 2017 and an extreme resurgence during July of 2022. Mal/DrodRar-AIC is a file infector that we have been seeing since late 2020. File infector malware is a type of malware that is capable of infecting files for the sake of spreading to other systems. Malicious code is attached to a variety of files (.exe, .dll, .sys, etc.) and this type of malware is often used for delivering payloads of downloading other malware.</p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.</p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p> </p>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}10886962279,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10886962279,RESIZE_400x{{/staticFileLink}}" width="350" alt="10886962279?profile=RESIZE_400x" /></a></p>
<p> </p>
<p> </p>
<p> </p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a></li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p>
<p> </p></div>Motor Vessel (MV) & Motor Tanker (MT) Impersonation / October 2022https://redskyalliance.org/transportation/motor-vessel-mv-motor-tanker-mt-impersonation-october-20222022-10-19T20:57:07.000Z2022-10-19T20:57:07.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}10845614100,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10845614100,RESIZE_400x{{/staticFileLink}}" width="250" alt="10845614100?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, and ports. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.</p>
<p> </p>
<p> </p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<p><strong><a href="{{#staticFileLink}}10845614673,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10845614673,RESIZE_710x{{/staticFileLink}}" width="710" alt="10845614673?profile=RESIZE_710x" /></a></strong></p>
<p> </p>
<p style="text-align:center;"><em> <a href="{{#staticFileLink}}10845611693,RESIZE_1200x{{/staticFileLink}}"><img src="{{#staticFileLink}}10845611693,RESIZE_400x{{/staticFileLink}}" width="400" alt="10845611693?profile=RESIZE_400x" /></a></em></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10845612666,RESIZE_1200x{{/staticFileLink}}"><img src="{{#staticFileLink}}10845612666,RESIZE_400x{{/staticFileLink}}" width="400" alt="10845612666?profile=RESIZE_400x" /></a></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10845612490,RESIZE_710x{{/staticFileLink}}"><img src="{{#staticFileLink}}10845612490,RESIZE_710x{{/staticFileLink}}" width="657" alt="10845612490?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Figure 3. Distribution of attacker and target domains</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10845612865,RESIZE_1200x{{/staticFileLink}}"><img src="{{#staticFileLink}}10845612865,RESIZE_710x{{/staticFileLink}}" width="600" alt="10845612865?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Table 1: List of dates, subject lines, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10845611275,original{{/staticFileLink}}">Full Vessel Report Attached</a></p>
<p style="text-align:center;"> </p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>DOCS FOR 2ND CONTAINER ETD 07/10/22</li>
<li>AERSK LINE STATEMENT OF ACCOUNT JULY 2022</li>
<li>mv harvey well/m22009 --- Loading 23000mt Clinker in bulk // port inquiry</li>
<li>RE: RE: MV ROYAL 06 // V11.2022 // DISCHARGING 10,000MT PKE // PDA</li>
<li>JAHAN SISTERS - RLOI OF DESHBANDHU CEMENT - AT CHITTAGONG PORT II FROM PADANG, INDONESIA WITH 35,507.999 MT CEMENT CLINKER</li>
</ul>
<p><a href="{{#staticFileLink}}10845610485,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10845610485,RESIZE_400x{{/staticFileLink}}" width="300" alt="10845610485?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see notices of port inquiries, bills of lading and invoices, load notifications, and cargo shipment notices. These emails are seen to utilize common terminology to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of a wide variety of organizations, such as shipping and supply companies, ship management companies, DHL, among others.</p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<ul>
<li>Ina Lotte (pictured at the beginning of this report), which is a bulk carrier currently located in Brazil and flying under the flag of the Cayman Islands.</li>
<li>KSL Seville (pictured above), which is a bulk carrier currently on its way to Brazil and flying under the flag of Hong Kong.</li>
<li>Fortune Ocean, which recently departed from China and is flying under the flag of Panama</li>
<li>Royal 06, which is a bulk carrier currently located in Sai Gon and flying under the flag of Vietnam.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility. For the most part, these detections are representative of emails attempting to propagate generic trojans, which exist to hinder a user’s operations, collect information, and potentially attempt to download other malware. There may also be more targeted malware present, including software intending to interrupt browser operations or take advantage of critical operating system vulnerabilities.</p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails – any place along the transportation supply line. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware. The end target could be in maritime, port facilities, rail/truck, customs brokers and authorities or the goods manufacturer/customer.</p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p> </p>
<p> </p>
<p><a href="{{#staticFileLink}}10845609699,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10845609699,RESIZE_400x{{/staticFileLink}}" width="350" alt="10845609699?profile=RESIZE_400x" /></a></p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a></li>
</ul>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p></div>Motor Vessel (MV) & Motor Tanker (MT) Impersonation / September 2022https://redskyalliance.org/transportation/motor-vessel-mv-motor-tanker-mt-impersonation-september-20222022-09-15T20:03:48.000Z2022-09-15T20:03:48.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}10813350662,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10813350662,RESIZE_400x{{/staticFileLink}}" width="250" alt="10813350662?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, and ports. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.</p>
<p> </p>
<p> </p>
<p style="text-align:center;"><strong>Significant Vessel Keys Words:</strong></p>
<p style="text-align:center;"><strong><a href="{{#staticFileLink}}10813351064,RESIZE_930x{{/staticFileLink}}"><img src="{{#staticFileLink}}10813351064,RESIZE_710x{{/staticFileLink}}" width="600" alt="10813351064?profile=RESIZE_710x" /></a></strong></p>
<p> </p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"><em> <a href="{{#staticFileLink}}10813350095,original{{/staticFileLink}}"><img src="{{#staticFileLink}}10813350095,RESIZE_710x{{/staticFileLink}}" width="600" alt="10813350095?profile=RESIZE_710x" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying location of victim domains</em></p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10813350067,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10813350067,RESIZE_710x{{/staticFileLink}}" width="600" alt="10813350067?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;">Figure 3. Distribution of attacker and target domains</p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10813349501,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10813349501,RESIZE_710x{{/staticFileLink}}" width="600" alt="10813349501?profile=RESIZE_710x" /></a></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;">Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10813349672,original{{/staticFileLink}}" target="_blank">Full Vessel Report Table September 2022</a></p>
<p><a href="{{#staticFileLink}}10813349270,original{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10813349270,RESIZE_710x{{/staticFileLink}}" width="600" alt="10813349270?profile=RESIZE_710x" /></a></p>
<p><strong>Analysis</strong></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>VSL: VM Accord, ORDER: TKHA-A88160011B</li>
<li>RE: MV BAKAN WILL LOAD FM DAMIETTA</li>
<li>Re: Destination CRF- KOREA Port RFQ_USD</li>
<li>Bill of Lading and Invoice for your shipment- Maersk</li>
<li>DHL Express Cargo</li>
</ul>
<p><a href="{{#staticFileLink}}10813348468,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10813348468,RESIZE_400x{{/staticFileLink}}" width="277" height="186" alt="10813348468?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see notices of port inquiries, bills of lading and invoices, load notifications, and cargo shipment notices. These emails are seen to utilize common terminology in order to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see DHL, supply chain organizations, steel traders, chemical suppliers, and freight carriers.</p>
<p> </p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<p> </p>
<ul>
<li>Hongsheng 7 (pictured at the beginning of this report), which is a bulk carrier currently located in southeast Asia and sailing under the flag of Hong Kong.</li>
<li>Yangtze Classic (pictured above), which is a bulk carrier currently located in east Australia and is sailing under the flag of Hong Kong.</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>Zmutzy.819 – Gdata</li>
<li>Win32:InjectorX-gen [Trj] – Avast</li>
<li>Rising - Trojan.Generic/MSIL@AI.100 (RDM.MSIL:lrntAdiZenrQzR9sued47A)</li>
<li>GenericKD.61424830 – FireEye</li>
<li>Html.Iframe.udgq - NANO-Antivirus</li>
</ul>
<p>The Zmutzy family of trojans we have been seeing since late 2015, with their highest prevalence being between 2018 and 2019, with tens of thousands of logged email detections in our system. The Win32:InjectorX-gen we have been seeing since mid 2019. Its occurrence frequency has grown significantly since then, with the highest number of detections occurring in March 2021 and July 2022. As far as Trojan.Generic/MSIL@AI.100 goes, we have only been seeing it since December of 2021. To date, the highest number of detections occurred in July of 2022, with nearly triple the number of detections over June. Trojan.GenericKD.61424830 is a newer detection, with detections occurring primarily during this last 30-day period. Exploit.Html.Iframe.udgq we have been seeing since late 2015. Its most prevalent period of detection was between January 2021 and April 2021. The number of detections has been trending upward since January of 2022. </p>
<p>For the most part, these detections are representative of generic trojans and exist to hinder a user’s operations, collect information, and potentially attempt to download other malware. A Exploit.Html.Iframe.udgq detection relates to a malicious HTML file (or email message) containing code intending to exploit an Internet Explorer vulnerability in how it handles Iframes on pages.</p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.</p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p> </p>
<p><strong>About Red Sky Alliance</strong></p>
<p><a href="{{#staticFileLink}}10813347088,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10813347088,RESIZE_400x{{/staticFileLink}}" width="300" alt="10813347088?profile=RESIZE_400x" /></a></p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p></div>Motor Vessel (MV) & Motor Tanker (MT) Impersonation / August 2022https://redskyalliance.org/transportation/motor-vessel-mv-motor-tanker-mt-impersonation-august-20222022-08-18T21:45:16.000Z2022-08-18T21:45:16.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><img class="align-left" src="{{#staticFileLink}}10777791658,RESIZE_400x{{/staticFileLink}}" alt="10777791658?profile=RESIZE_400x" width="250" /></p>
<p> </p>
<p><span style="font-size:10pt;">Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, and ports. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.</span></p>
<p> </p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><span style="font-size:12pt;"><strong>Significant Vessel Keys Words:</strong></span></p>
<p style="text-align:center;"><strong><a href="{{#staticFileLink}}10777792071,RESIZE_930x{{/staticFileLink}}"><img src="{{#staticFileLink}}10777792071,RESIZE_710x{{/staticFileLink}}" alt="10777792071?profile=RESIZE_710x" width="710" /></a></strong></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><strong><a href="{{#staticFileLink}}10777807277,RESIZE_710x{{/staticFileLink}}"><img src="{{#staticFileLink}}10777807277,RESIZE_584x{{/staticFileLink}}" alt="10777807277?profile=RESIZE_584x" width="500" /></a></strong></p>
<p style="text-align:center;"><em>Figure 1. Map displaying locations of attacker domains.</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><em><a href="{{#staticFileLink}}10777808061,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10777808061,RESIZE_584x{{/staticFileLink}}" alt="10777808061?profile=RESIZE_584x" width="500" /></a></em></p>
<p style="text-align:center;"><em>Figure 2. Map displaying locations of target domains.</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10777810669,original{{/staticFileLink}}"><img src="{{#staticFileLink}}10777810669,RESIZE_710x{{/staticFileLink}}" alt="10777810669?profile=RESIZE_710x" width="710" /></a></p>
<p style="text-align:center;"><em>Figure 3. Distribution of attacker/target domains.</em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><span style="font-size:12pt;"><strong><a href="{{#staticFileLink}}10777812654,RESIZE_1200x{{/staticFileLink}}"><img src="{{#staticFileLink}}10777812654,RESIZE_710x{{/staticFileLink}}" alt="10777812654?profile=RESIZE_710x" width="710" /></a></strong></span></p>
<p style="text-align:center;"><em>Table 1. List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 60 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10777812695,original{{/staticFileLink}}">Full Vessell Report August 2022.pdf</a></em></p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"><span style="font-size:12pt;"><strong>Analysis</strong></span></p>
<p>The five most common subject lines seen in our recent query are as follows:</p>
<ul>
<li>HW - Arrival of Container OOLU3955325 (PTS)</li>
<li>RE:MV SCSC FORTUNE// FERTILIZER IN BULK AROUND 9600MT LDG //PORT INQUIRY</li>
<li>Re: MV OCEAN DRAGON - DISCHARGE IRON ORE / AGENCY APPOINTMENT</li>
<li>Port Info & PDA Inquiry - Fertilizer - DAP</li>
<li>PDA FOR loading of Clinker abt 39500 mt</li>
</ul>
<p><a href="{{#staticFileLink}}10777811271,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10777811271,RESIZE_400x{{/staticFileLink}}" alt="10777811271?profile=RESIZE_400x" width="276" /></a></p>
<p> </p>
<p>There are several themes represented by the subject lines seen. Specifically, we can see notices of container arrivals, cargo arrivals and discharges, scheduling requests and other port inquiries, order notifications, and Pro-forma Disbursement Account Requests (PDA). These emails are seen to utilize common terminology in order to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see impersonations of food suppliers, shipping and supply companies, furniture warehouse companies, and even the Russian Ministry of Health</p>
<p> </p>
<p> </p>
<p>In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:</p>
<ul>
<li>Pioneer Irene, which is currently at the port of Singapore and is sailing under the flag of Tuvalu</li>
<li>KM Singapore (pictured at the beginning of this report), which is currently at the port of Tianjin Xingang and is sailing under the flag of Liberia</li>
<li>New Liberty, which is currently at the port of Massawa (Mitsiwa) and is sailing under the flag of Belize</li>
<li>SCSC Fotune (pictured above), which is currently located off the coast of China and is sailing under the flag of Hong Kong</li>
<li>Star Monica, which recently departed the port of Sriracha and is sailing under the flag of Liberia</li>
</ul>
<p>As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.</p>
<p>The top five most prevalent malware detections associated with these emails are as follows:</p>
<ul>
<li>CVE-2017-0199.02.Gen - BitDefender</li>
<li>MSExcel/CVE_2017_11882!exploit - Fortinet</li>
<li>Win32:InjectorX-gen [Trj] - Avast</li>
<li>UDS:DangerousObject.Multi.Generic - Kaspersky</li>
<li>Trojan-Downloader.Office.Crypt - Ikarus</li>
</ul>
<p>CVE-2017-0199 is a remote code execution vulnerability in older versions of Microsoft Windows and Microsoft Office. This vulnerability allows remote attackers to execute arbitrary code via crafted documents that victims open using Microsoft Office products or Word Pad. Somewhat related is CVE-2017-11882, which is another remote code execution vulnerability that also exists in older versions of Microsoft Office. This vulnerability allows an attacker to run arbitrary code as the current user by way of manipulating and corrupting memory used by Microsoft Office. As illustrated by the list above, there were also a number of known trojans associated with these recent emails. Some of these trojans are of the generic variety and exist to hinder a user’s operations, collect information, and potentially attempt to download other malware. Others, such as W32/Heuristic-200!Eldorado, which we have been seeing since late 2019, are more targeted and focus on tasks like establishing remote access and disabling Windows update.</p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.</p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p> </p>
<p style="text-align:center;"><span style="font-size:12pt;"><strong>About Red Sky Alliance</strong></span></p>
<p><strong> <a href="{{#staticFileLink}}10777798082,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10777798082,RESIZE_400x{{/staticFileLink}}" alt="10777798082?profile=RESIZE_400x" width="300" /></a></strong></p>
<p> Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/"><strong>https://www.redskyalliance.org/</strong></a></li>
<li>Website: <a href="https://www.wapacklabs.com/"><strong>https://www.wapacklabs.com/</strong></a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941"><strong>https://www.linkedin.com/company/64265941</strong></a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989"><strong>https://attendee.gotowebinar.com/register/5504229295967742989</strong></a></p>
<p style="text-align:center;"> </p></div>Motor Vessel (MV) & Motor Tanker (MT) Impersonation / July 2022https://redskyalliance.org/transportation/motor-vessel-mv-motor-tanker-mt-impersonation-july-20222022-07-21T14:55:16.000Z2022-07-21T14:55:16.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10661734074,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10661734074,RESIZE_400x{{/staticFileLink}}" alt="10661734074?profile=RESIZE_400x" width="250" /></a>Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, and ports. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.</p>
<p style="text-align:left;"> <strong> </strong></p>
<p style="text-align:left;"><strong> Significant Vessel Keys Words:</strong></p>
<p><em> <a href="{{#staticFileLink}}10661712897,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10661712897,RESIZE_710x{{/staticFileLink}}" alt="10661712897?profile=RESIZE_710x" width="710" /></a></em></p>
<p> </p>
<p><em><a href="{{#staticFileLink}}10661715855,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10661715855,RESIZE_584x{{/staticFileLink}}" alt="10661715855?profile=RESIZE_584x" width="530" /></a></em></p>
<p style="text-align:center;"><em>Figure 1. Map displaying location of attacker domains</em></p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10661722262,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10661722262,RESIZE_584x{{/staticFileLink}}" alt="10661722262?profile=RESIZE_584x" width="530" /></a><br /> <em>Figure 2</em><em>. Map displaying location of victim domains</em><a href="{{#staticFileLink}}10661726261,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10661726261,RESIZE_710x{{/staticFileLink}}" alt="10661726261?profile=RESIZE_710x" width="710" /></a></p>
<p>Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. The full vessel report table is linked here -><strong><em><a href="{{#staticFileLink}}10661772066,original{{/staticFileLink}}">Full Vessel Report.pdf</a></em>.</strong></p>
<p> <a href="{{#staticFileLink}}10661724496,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10661724496,RESIZE_710x{{/staticFileLink}}" alt="10661724496?profile=RESIZE_710x" width="682" /></a></p>
<p>Analyzing the subject lines shows similarities in these phishing attempts. In this sample a number of vessels are being impersonated. Common themes in the subject lines include loading calls, discharges, billing, arrival notices, and other seemingly legitimate shipping communications. The use of phrases commonly used within the industry is an attempt to establish credibility for the attacker. Analysts notice some emails using fake Purchase Orders, Remittances, and Pro-forma Disbursement Account Requests (PDA) to try scamming their victims. These are tempting lures for the recipient.<a href="{{#staticFileLink}}10661762853,RESIZE_584x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10661762853,RESIZE_400x{{/staticFileLink}}" alt="10661762853?profile=RESIZE_400x" width="350" /></a> </p>
<p>Most of the vessel impersonations use the name of real ships such as: M/V Truong Minh Sea currently in the Port Elizabeth Anchorage in South Africa, M/V RedHead currently moored in Lake Ontario, and M/V Glorious Sea heading to Madagascar from the United Arab Emirates. While it is easy enough to make up a vessel name, using a real ships name does not take much effort. Commercial vessels broadcast information about their location using AIS (Automatic Identification System) and this information can be used to track and identify ships. Sites like VesselFinder can provide further information including the vessels historical data, recent ports, destination and more.</p>
<p>In the Sending Email field, we noticed the impersonations of different logistics companies. These companies include Cosco Shipping Lines, Maersk, Ben Line Agencies, and DHL Customer Support. All of these are large and legitimate international companies. Other companies that show up as the sender on emails seem to be fake or overly generalized and do not represent existing companies. These include a sender “Invoicing <support@island-0il.com>” which is clearly impersonating the legitimate Island Oil Holdings, switching out the “O” in oil with a “0”. Others include Coscon, Part Sales & Technical Service Team, and Operation Department.</p>
<p>A number of phishing campaigns reuse the same subject lines and send the malware to multiple targets. The lures they use apply generically to most ports, shipping companies, and vessels. Vessels that have been impersonated in multiple emails in this collection include MV Sea EverGold and MV Master. </p>
<p>Finally, in the email analysis, we noticed malware similarities. In most of the emails, we have noticed some form of Trojan virus. The most notable detections include Microsoft - Trojan:Win32/Wacatac.B!ml, Microsoft - Trojan:MSIL/ AgentTesla. AMZZ!MTBattached, Kaspersky - HEUR:Trojan-Spy.MSIL.SnakeLogger.gen and other generic trojans. Email samples also had attachments that exploit known Common Vulnerabilities and Exposures (CVEs). </p>
<p>One of the most common CVEs we noticed in the email collections was CVE-2017-11882. This CVE exploits the Microsoft Office Memory Corruption Vulnerability and allows for remote code execution. A patch for this CVE has been available since November of 2017, and if your Microsoft applications and antivirus software are up to date your systems should be able to detect this as malicious.</p>
<p>Another common CVE was CVE-2018-0802. This CVE allows for remote code execution and like CVE-2017-11882, it takes advantage of the way objects are handled in memory. The Microsoft Office Memory Corruption Vulnerability is the main issue that allows for remote code execution in Microsoft Office 2007, 2010, 2013, and 2016. This vulnerability was listed as a Zero-Day and was addressed in January of 2018.</p>
<p>A third common CVE detected was CVE-2017-0199. This CVE exploits a flaw with Windows Object Linking and Embedding to interface with Microsoft Office and deliver malware. Typically this makes use of malicious Rich Text Files (RTF) to deploy malware.<a href="{{#staticFileLink}}10661757493,RESIZE_584x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10661757493,RESIZE_584x{{/staticFileLink}}" alt="10661757493?profile=RESIZE_584x" width="450" /></a></p>
<p>Wacatac detected as Trojan:Win32/Wacatac by Microsoft is a trojan malware that is often distributed using spam phishing emails. It is categorized as a trojan, password stealer, banking malware, and spyware. The trojan is used to collect credentials and banking information so malicious actors can facilitate online purchases and money transfers.</p>
<p>Agent Tesla, one of the prominent payloads in the malicious emails analyzed acts as a keylogger, downloader, password-stealer, and is capable of taking screenshots on infected machines. Agent Tesla has been around since 2014 and targets Windows machines.</p>
<p>It is worth noting that we have seen detections for the <a href="https://redskyalliance.org/xindustry/the-evolution-of-keyloggers">snake keylogger</a> in phishing emails ever since it cracked the top 10 Most Wanted Malware list in July of 2021. The malware is spread predominantly through phishing campaigns and targets Windows users. The malicious payload has been reported being delivered via PDF files, Word Documents, and Excel Spreadsheets, typically with tags about Requests for Quotes (RFQs). According to Check Point Software Technologies the Snake Keylogger Malware currently ranks third on the July 2022 Most Wanted Malware list.</p>
<p>Generic trojans, which make up a significant portion of the email detections are malicious programs that use similar code and behavior to trojan malware. Trojan malware relies on tricking a victim into downloading a file that is hiding a malicious payload. While the installed file may look legitimate, these programs could be hiding processes to download further harmful programs, spy on victims, and steal information.</p>
<p>Trojan malware strains are commonly spread through phishing emails, usually by getting the victim to click a malicious link or download a malicious file disguised to look like a purchase order or invoice. A number of different file types are used to disguise the malicious payloads. These files include Word Documents, Excel Spreadsheets, PDFs, or RAR and Zip files, storing compressed files.</p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.</p>
<p><a href="{{#staticFileLink}}10661770862,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10661770862,RESIZE_400x{{/staticFileLink}}" alt="10661770862?profile=RESIZE_400x" width="350" /></a>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>Cyber Pirateshttps://redskyalliance.org/transportation/cyber-pirates2022-07-12T15:17:56.000Z2022-07-12T15:17:56.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10640623479,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10640623479,RESIZE_400x{{/staticFileLink}}" alt="10640623479?profile=RESIZE_400x" width="250" /></a>In February 2019, a large container ship sailing for the Port of New York/New Jersey identified a cyber intrusion on board that startled the US Coast Guard. Though the malware attack never controlled the vessel’s movement, authorities concluded that weak defenses exposed critical functions to “significant vulnerabilities.”</p>
<p>A maritime disaster didn’t happen that day, but a warning flare rose over an emerging threat to global trade: cyber piracy able to penetrate on-board technology that’s replacing old ways of steering, propulsion, navigation and other key operations. Such leaps in hacking capabilities could do enormous economic damage, particularly now, when supply chains are already stressed from the pandemic and the war in Ukraine, experts including a top Coast Guard official said.</p>
<p>“We’ve been lucky so far,” said the vice president with Mission Secure Inc., a cybersecurity firm in Charlottesville, Virginia. “More and more incidents are happening, and the hackers are getting a better understanding of what they can do once they’ve taken over an operational technology system. In the case of maritime — whether it be the ports or the vessels themselves, there is a tremendous amount that could be done to harm both the network and physical operations.”</p>
<p>Recently a USCG Rear Admiral who is the Assistant Commandant for prevention policy, said shipping faces cyber risks similar to those in other industries, it is just that the stakes are so much higher given that almost 80% of global trade moves on the sea. While Arguin declined to put a number on the frequency of attempted break-ins, he said, “I feel very confident that every day networks are being tested, which really reinforces the need to have a plan.”</p>
<p>Stress System: “A potential intentional attack could really stress the system and we’re certainly thinking about how to shore that up,” the Admiral said in an interview. “When you couple that with the sensitivity of supply chain disruptions, it does have the potential to be devastating to the marine transportation system.” That universe includes not just ship operators but port terminals and the thousands of logistics links in global supply chains that are increasingly interconnected.</p>
<p>BlueVoyant, a New York-based cyber-defense platform that recently analyzed 20 well-known shipping companies, said some strides have been made since 2021, but “there are more cyber-defense actions the industry can take to make things more secure.” A wider survey into third-party cyber risks showed 93% of respondents acknowledged suffering direct breaches tied to supply chain weaknesses, with the average number of intrusions rising to 3.7 last year from 2.7 in 2020, according to BlueVoyant’s director of external cyber assessments.</p>
<p>Hackers have hit major logistics operations several times already this year. Jawaharlal Nehru Port Trust, India’s busiest container port, suffered a ransomware attack in February 2022. A targeted attack on Expeditors International of Washington Inc., a large freight-forwarding company, crippled its systems for about three weeks and led to $60 million in expenses. Blume Global Inc., a supply chain tech company based in Pleasanton, California said in early May that a cyber incident temporarily made its asset-management platform inaccessible.</p>
<p>‘Vulnerable Areas’: “You’ve picked on an industry that has a lot of vulnerable areas,” said the CEO of Arlington, Virginia-based Interos, a supply chain risk-management company. The ocean shipping industry is the backbone of global goods trade but when it comes to cyber vulnerabilities, its broad reach is an Achilles heel. The biggest companies are playing catch-up and, after years of struggling to make money, now have the resources to invest in upgraded ship-to-shore technology.</p>
<p>Hapag-Lloyd AG, Germany’s largest shipping line, announced in April of this year that it will become the first carrier to equip its entire fleet of containers with real-time tracking devices. Most of the large container lines use remote sensors for functions like monitoring engine performance, maintaining cooling systems or opening a pump valve. Electronic charts and collision-avoidance mapping can be updated on shore and shared remotely. Many new ships ordered during this period of peak profitability will be fitted with more online connectivity to land-based operations. Such advances add visibility and efficiency but they also potentially make the jobs of hackers easier, experts said.</p>
<p>“Ships were quickly connected to the internet using satellite communications, but without all the other security controls needed to be safe and secure at sea,” said a security specialist at Pen Test Partners, a cybersecurity company with clients in the maritime industry. “So now shipping operators are frantically trying to build these controls back in, but are struggling with decades-old equipment on board that can be really hard to secure.”</p>
<p>For the past several years, Red Sky Alliance has produced monthly “Vessel Impersonation” reports, that show numerous attempts at spoofing companies anywhere along the supply chain – of which 90% of commerce travels via ships. </p>
<p>See: <a href="https://redskyalliance.org/transportation/motor-vessel-mv-motor-tanker-mt-impersonation-june-2022">https://redskyalliance.org/transportation/motor-vessel-mv-motor-tanker-mt-impersonation-june-2022</a> This report from our June 2022 collection, shows numerous attempts to phish the supply chain spoofing a vessel. </p>
<p>To help guard against the threats, the International Maritime Organization, a United Nations agency responsible for safety and security, issued guidelines that companies were supposed to adopt starting in 2021. Some analysts said those regulations haven’t had enough of the intended effect and led to a wide range of responses.</p>
<p>System Patchwork: “Some were very proactive and started doing the work long before the regulations,” said the global head of marine risk consulting with Allianz Global Corporate & Specialty, a unit of the Munich-based financial services company, Allianz SE. “On the other end of the spectrum, you had people who are aware and doing just the bare minimum just to get the certificate in their files.”</p>
<p>Even modern ships have a patchwork of systems from different manufacturers that have taken cybersecurity in varying degrees of seriousness, reported the former chief information security officer at A.P. Moller-Maersk A/S, the world’s No. 2 container carrier. “Some operators have taken this seriously, but with substantial fleets and ships that are probably over 30 years old, it is a very tall order.”</p>
<p>A maritime security specialist with Bimco, one of the world’s biggest associations representing shipowners, defended the industry’s position on cyber protections as “relatively strong” and on par with other sectors. Though increased digitization brings “more and more of an attack surface,” they said instances where operational controls have been hacked are rare and technically difficult to pull off. “This idea that someone can take over the control of a ship and do all sorts of things, while it might be technically possible for a really skilled hacker who has the time to do it, in reality it’s not really something that we’re seeing,” they said. “Theoretically, yes in can happen and of course we have to constantly stay updated with our defenses and pay attention to new threats.”</p>
<p>‘Huge Underreporting’: No shipper wants to admit they have cyber security issues. There is a “huge underreporting” when ships get attacked and “the ones who say they haven’t been, just don’t know about it.” Across industry and government, there is agreement that there needs to be more information sharing. “Everybody needs to be all-in in this game and understand when there are vulnerabilities; getting that information out quickly is going to be a thing that continues to help us close doors,” the US Coast Guard said.</p>
<p>For some observers, a wakeup call about the stakes involved came in March 2021, when the Ever Given, one of the world’s largest container ships, ran aground and blocked traffic in the Suez Canal for almost a week. The accident, blamed partly on strong winds, cut off much of Europe’s trade with Asia and threw supply chains off kilter for several weeks. “The Suez incident made everybody realize that global supply chains are actually quite vulnerable.” The CG said. “Not that Suez was a hack, it wasn’t, but it so easily could’ve been.”</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p></div>Motor Vessel (MV) & Motor Tanker (MT) Impersonation / June 2022https://redskyalliance.org/transportation/motor-vessel-mv-motor-tanker-mt-impersonation-june-20222022-06-17T14:23:19.000Z2022-06-17T14:23:19.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10575761875,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10575761875,RESIZE_400x{{/staticFileLink}}" alt="10575761875?profile=RESIZE_400x" width="250" /></a>Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, and ports. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.</p>
<p style="text-align:center;"> </p>
<p style="text-align:center;"> </p>
<p style="text-align:left;"><strong> Significant Vessel Keys Words:</strong><strong><a href="{{#staticFileLink}}10575748468,RESIZE_930x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10575748468,RESIZE_710x{{/staticFileLink}}" alt="10575748468?profile=RESIZE_710x" width="710" /></a></strong></p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10575753694,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10575753694,RESIZE_710x{{/staticFileLink}}" alt="10575753694?profile=RESIZE_710x" width="600" /></a>Figure 1. Map displaying location of attacker domains</p>
<p style="text-align:center;"><a href="{{#staticFileLink}}10575756657,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10575756657,RESIZE_710x{{/staticFileLink}}" alt="10575756657?profile=RESIZE_710x" width="600" /></a><br /> Figure 2. Map displaying location of victim domains</p>
<p><em><a href="{{#staticFileLink}}10575757080,RESIZE_1200x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10575757080,RESIZE_710x{{/staticFileLink}}" alt="10575757080?profile=RESIZE_710x" width="710" /></a></em></p>
<p style="text-align:center;"><em>Figure 3. Sender host by country Figure 4. Target host by country</em></p>
<p>Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 60 days. Information extrapolated from the Subject Line. <a href="{{#staticFileLink}}10575758470,original{{/staticFileLink}}">Full Vessel Report Table.pdf</a><strong>.</strong></p>
<p><strong><a href="{{#staticFileLink}}10575758067,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10575758067,RESIZE_710x{{/staticFileLink}}" alt="10575758067?profile=RESIZE_710x" width="700" /></a></strong></p>
<p>Analyzing the subject lines shows similarities in these phishing attempts. In this sample a number of vessels are being impersonated. Common themes in the subject lines include loading calls, discharges, billing, arrival notices, and other seemingly legitimate shipping communications. The use of phrases commonly used within the industry is an attempt to establish credibility for the attacker. Analysts notice some emails using fake Purchase Orders, Remittances, and Pro-forma Disbursement Account Requests (PDA) to try scamming their victims. These are tempting lures for the recipient. </p>
<p>Most of the vessel impersonations use the name of real ships, such as M/V Arc Resolve sailing under the United States flag and currently in the Gulf of Mexico, MV Phuong Dong 05 sailing under the flag of Vietnam and currently heading to the Philippines, and DOA Glory sailing under the flag of Panama heading to Portugal from Turkey. Other vessels include MV Great Jin, MV HN Luxury, MV Pioneer Irene, and MV Han Grace.</p>
<p>In the ‘Sending’ Email field, we noticed the impersonations of different logistics companies. These companies include Cosco Shipping Lines, Maersk, and DHL Customer Support. All of these are large and legitimate international companies. Other companies that show up as the sender on emails seem to be fake or overly generalized and do not represent existing companies. These include a sender “OPS Indo (PT Orientjasa Maritim) with an address at orientagencies.com” which is clearly impersonating the legitimate Orient Maritime Agencies. Others include Coscon, Part Sales & Technical Service Team, and Operation Department.<a href="{{#staticFileLink}}10575761053,RESIZE_584x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10575761053,RESIZE_400x{{/staticFileLink}}" alt="10575761053?profile=RESIZE_400x" width="400" /></a></p>
<p>A number of phishing campaigns reuse the same subject lines and send the malware to multiple targets. The lures they use apply generically to most ports, shipping companies, and vessels. Vessels that have been impersonated in multiple emails include MV Nova, M/V Arc Resolve, MV Mia, and MV Fortune Ocean. <br /> Finally, in the email analysis, we noticed malware similarities. In most of the emails, we have noticed some form of Trojan virus. The most notable Trojans attached include Agent Tesla, Cryxos Trojans, FormBook, and other generic trojans. Email samples also had attachments that exploit known Common Vulnerabilities and Exposures (CVEs). </p>
<p>One of the most common CVEs we noticed in the email collections was CVE-2017-11882. This CVE exploits the Microsoft Office Memory Corruption Vulnerability and allows for remote code execution. A patch for this CVE has been available since November of 2017, and if you Microsoft applications and antivirus software are up to date your systems should be able to detect this as malicious.</p>
<p>Agent Tesla, one of the prominent payloads in the malicious emails analyzed acts as a keylogger, downloader, password-stealer, and can take screenshots on infected machines. Agent Tesla has been around since 2014 and targets Windows machines. </p>
<p>The Cryxos Trojans display a notification alerting the user that the web browser has been blocked and that the user’s credentials are being stolen. The trojan prompts the user to call a support phone line to fix remove the malware. If the user calls for support, they are then pressured to pay for the services or give the service technician remote access to the machine. </p>
<p>Formbook is another information stealing trojan operating as Malware-as-a-Service. The malware is easy to use and extremely effective allowing malicious actors to log user inputs, take screenshots of target machines, and view or interact with files. </p>
<p>Wacatac detected as Trojan:Win32/Wacatac by Microsoft is a trojan malware that is often distributed using spam phishing emails. It is categorized as a trojan, password stealer, banking malware, and spyware. The trojan is used to collect credentials and banking information so malicious actors can facilitate online purchases and money transfers.</p>
<p>Generic trojans, which make up a significant portion of the email detections are malicious programs that use similar code and behavior to trojan malware. Trojan malware relies on tricking a victim into downloading a file that is hiding a malicious payload. While the installed file may look legitimate, these programs could be hiding processes to download further harmful programs, spy on victims, and steal information.</p>
<p>Trojan malware strains are commonly spread through phishing emails, usually by getting the victim to click a malicious link or download a malicious file disguised to look like a purchase order or invoice. A number of different file types are used to disguise the malicious payloads. These files include Word Documents, Excel Spreadsheets, PDFs, or RAR and Zip files, storing compressed files.</p>
<p><a href="{{#staticFileLink}}10575761096,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10575761096,RESIZE_400x{{/staticFileLink}}" alt="10575761096?profile=RESIZE_400x" width="350" /></a>These analytical results illustrate how a recipient could be fooled into opening an infected email. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.</p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:<a href="{{#staticFileLink}}10575769069,RESIZE_930x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}10575769069,RESIZE_400x{{/staticFileLink}}" alt="10575769069?profile=RESIZE_400x" width="400" /></a></p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in Steamboat Springs, CO USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><strong><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></strong></p></div>2022 Motor Vessel (MV) & Motor Tanker (MT) Impersonationhttps://redskyalliance.org/transportation/2022-motor-vessel-mv-motor-tanker-mt-impersonation2022-01-25T16:04:30.000Z2022-01-25T16:04:30.000ZNathan Burnhamhttps://redskyalliance.org/members/NathanBurnham<div><p>Red Sky Alliance performs queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.</p>
<p><a href="{{#staticFileLink}}10045521289,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045521289,RESIZE_710x{{/staticFileLink}}" alt="10045521289?profile=RESIZE_710x" width="638" /></a></p>
<p><a href="{{#staticFileLink}}10045589672,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045589672,RESIZE_584x{{/staticFileLink}}" alt="10045589672?profile=RESIZE_584x" width="495" /></a></p>
<p> </p>
<p><a href="{{#staticFileLink}}10045589456,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045589456,RESIZE_584x{{/staticFileLink}}" alt="10045589456?profile=RESIZE_584x" width="529" /></a></p>
<p> </p>
<p><a href="{{#staticFileLink}}10045585852,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045585852,RESIZE_584x{{/staticFileLink}}" alt="10045585852?profile=RESIZE_584x" width="584" /></a></p>
<p><a href="{{#staticFileLink}}10045587890,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045587890,RESIZE_584x{{/staticFileLink}}" alt="10045587890?profile=RESIZE_584x" width="584" /></a></p>
<p><a href="{{#staticFileLink}}10045591701,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045591701,RESIZE_710x{{/staticFileLink}}" alt="10045591701?profile=RESIZE_710x" width="593" /></a></p>
<p><a href="{{#staticFileLink}}10045592069,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045592069,RESIZE_710x{{/staticFileLink}}" alt="10045592069?profile=RESIZE_710x" width="593" /></a></p>
<p>Analyzing the subject lines shows a few similarities between phishing attempts. For instance, many of the subject lines use company or vessel impersonations and port names. Additionally, we see the use of common phrases used within the industry, attempting to establish credibility for the attacker. We also notice some emails (in table 2) using fake Purchase Orders or Remittances to try scamming their victims. Most of the vessel impersonations use the name of real ships, such as Navios Galaxy II, Almi Hydra, Jin Gang, Atlantic Harmony, and SM Jakarta. A few vessels seem to use create fake names derived from names of other real vessels, including Grand Hulk and VTB 38.</p>
<p>When investigating the Sending Email field, we noticed the impersonations of many different companies. Companies impersonated in these phishing emails include Hebei Ocean Shipping Company, Ltd (although the attacker replaces Company with Agency), Almi Tankers, S.A., SM Line, and DSV. Other companies that show up as the sender on emails seem to be fake or overly generalized and not represent currently existing companies. These are CML Logistics, Sahar Supply, and NSTQA.</p>
<p>One example that exemplifies the phishing attacks are the emails sent from “Interport Freight Systems, Inc”. The attacker is using the name of an existing company based out of Hawthorne, California, but uses an invalid web-port.live email domain address. When attempting to visit this URL, Google Chrome flags the website as dangerous for its use in phishing attacks.</p>
<p><a href="{{#staticFileLink}}10045567275,RESIZE_400x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10045567275,RESIZE_400x{{/staticFileLink}}" alt="10045567275?profile=RESIZE_400x" width="380" /></a></p>
<p>Lastly, in the email analysis, we noticed malware similarities. In all the emails, we have noticed some form of Trojan virus. The most notable Trojans installed include Emotet, Kryptic, and STRRat. Emotet was designed to steal sensitive information from the victim’s computer and acts like a work to spread to other connected computers. Kryptic malware is a backdoor Trojan. Similar to Emotet, Kryptic also steal sensitive information from the victim’s computer. STRRat is a Java-based Remote Access Trojan. All of these malware strains are commonly spread through phishing emails, usually by getting the victim to click a malicious link or download a malicious file disguised to look like a purchase order or invoice.</p>
<p>These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.</p>
<p>Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. </p>
<p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.</p>
<p>It is important to:</p>
<ul>
<li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li>
<li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li>
<li>Provide practical guidance on how to identify a potential phishing attempt.</li>
<li>Use direct communication to verify emails and supply chain email communication.</li>
</ul>
<p><strong>About Red Sky Alliance</strong></p>
<p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p>
<p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul></div>Vessel Impersonation 11 27 2019https://redskyalliance.org/transportation/vessel-impersonation-11-27-20192019-11-27T20:11:43.000Z2019-11-27T20:11:43.000ZAustin Talbothttps://redskyalliance.org/members/AustinTalbot<div><p><strong><a href="{{#staticFileLink}}3744313596,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3744313596,RESIZE_710x{{/staticFileLink}}" alt="3744313596?profile=RESIZE_710x" width="349" height="253" /></a></strong><strong>Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation</strong></p><p>Red Sky Alliance performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this weekly list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages. </p><p><strong>Significant Vessel Keys Words:</strong></p><table width="378"><tbody><tr><td width="84"><p>MT, M/T</p></td><td width="294"><p>merchant tanker</p></td></tr><tr><td width="84"><p>MV, M/V</p></td><td width="294"><p>merchant vessel</p></td></tr><tr><td width="84"><p>MY, M/Y</p></td><td width="294"><p>motor yacht</p></td></tr><tr><td width="84"><p>VLCC</p></td><td width="294"><p>very large crude carrier</p></td></tr><tr><td width="84"><p>ULCC</p></td><td width="294"><p>ultra large crude carrier</p></td></tr><tr><td width="84"><p>RV, R/V</p></td><td width="294"><p>research vessel</p></td></tr><tr><td width="84"><p>FPSO</p></td><td width="294"><p>floating production storage & offloading</p></td></tr></tbody></table><p><strong><a href="{{#staticFileLink}}3744306367,original{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3744306367,RESIZE_710x{{/staticFileLink}}" alt="3744306367?profile=RESIZE_710x" width="710" /></a></strong><em>Figure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Red Sky Alliance’s malicious email collection.</em></p><p><a href="{{#staticFileLink}}3744305689,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3744305689,RESIZE_710x{{/staticFileLink}}" alt="3744305689?profile=RESIZE_710x" width="710" /></a><em>Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from malicious email collection.</em></p><p><em>Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Red Sky Alliance’s malicious email collection from November 21, 2019 to November 26, 2019.</em></p><table width="636"><tbody><tr><td width="48"><p><strong> </strong></p><p><strong>First Seen</strong></p></td><td width="90"><p><strong> </strong></p><p><strong>Subject Line Used</strong></p></td><td width="180"><p><strong> </strong></p><p><strong>Malware Detections</strong></p></td><td width="210"><p><strong> </strong></p><p><strong>Sending Email</strong></p></td><td width="108"><p><strong> </strong></p><p><strong>Targets</strong></p></td></tr><tr><td width="48"><p>Nov 22, 2019</p></td><td width="90"><p>BUNKER ESTIMATE - MV SEA HORSE 20TH MAY.2019</p></td><td width="180"><p>Trojan:Win32/Skeeyah.A!MTB</p><p>- Microsoft</p></td><td width="210"><p>"YEOSU OCEAN CO.,LTD." <ybalicaway@cebuace-maritime.com.ph></p></td><td width="108"><p>woas.net</p></td></tr><tr><td width="48"><p>Nov 23, 2019</p></td><td width="90"><p>MT DELIA //CTM REQUEST with ETA 31st Nov 20192</p></td><td width="180"><p>Trojan:Script/Casur.A!cl - Microsoft</p></td><td width="210"><p>\"China Construction Bank\" <309cd38@e49cdf609f3ac2.com></p></td><td width="108"><p>e49cdf609f3ac2.com</p></td></tr><tr><td width="48"><p>Nov 25, 2019</p></td><td width="90"><p>MV BAO XIANG LING-ARRIVAL NOTICE</p></td><td width="180"><p>MSOffice/CVE_2017_11882.C!exploit - Fortinet</p></td><td width="210"><p>"Hengxin Shipping Co.,Ltd." <ops1@hengxinshipping.com></p></td><td width="108"><p>Target not reported</p><p> </p></td></tr></tbody></table><p><a href="{{#staticFileLink}}3744308725,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3744308725,RESIZE_710x{{/staticFileLink}}" alt="3744308725?profile=RESIZE_710x" width="710" /></a></p><table width="100%"><tbody><tr><td><p><span style="font-size:8pt;"><em>Figure 3. Marine Traffic results for the Delia Vessel</em></span></p></td></tr></tbody></table><p>In the above collections for MV Sea Horse, MT Delia, MV Bao Xiang Ling and others, we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.</p><p>MT Delia is an oil and chemical tanker under the Panama flag. Analysis reveals that a malicious email was sent to at least one domain which appears to be obfuscated. The malware that was attempted to be sent is Trojan:Script/Casur.A!cl<a href="#_ftn1">[1]</a>. The subject line of the malicious email is: “<strong>MT DELIA //CTM REQUEST with ETA 31st Nov 20192</strong>”.</p><p>An unsuspecting employee at any company receiving this email would see an email with this Subject Line, possibly tempting them to open the email to see the details of an apparent call for discharge. If this malware is delivered, with any of these exploits, any recipient could become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.<a href="{{#staticFileLink}}3744310413,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3744310413,RESIZE_710x{{/staticFileLink}}" alt="3744310413?profile=RESIZE_710x" width="710" /></a></p><table width="100%"><tbody><tr><td><p><span style="font-size:8pt;"><em>Figure 4. MV Bao Xiang Ling info from Marinetraffic.com</em></span></p></td></tr></tbody></table><p>In another example, we see a subject line of: “<strong>MV BAO XIANG LING-ARRIVAL NOTICE</strong>” The MT Bao Xiang Ling is a bulk carrier ship under the China flag, currently moored in Tangshan, East of Beijing. At first glance by any recipient of this email, a bulk carrier vessel is notifying the reader of its apparent arrival to a port. To any employee of a port that may be expecting the arrival of the MV Bao Xiang Ling, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed MSOffice/CVE_2017_11882.C!exploit malware detected by Fortinet.</p><p><a href="{{#staticFileLink}}3744312011,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3744312011,RESIZE_710x{{/staticFileLink}}" alt="3744312011?profile=RESIZE_710x" width="526" /></a></p><table width="100%"><tbody><tr><td><p><span style="font-size:8pt;"><em>Figure 5. Contents of email with subject line “<strong>MV BAO XIANG LING-ARRIVAL NOTICE</strong>”</em></span></p></td></tr></tbody></table><p>In the contents of the email using the subject line “<strong>MV BAO XIANG LING-ARRIVAL NOTICE</strong>” we see the author of the email further instructing the user to open the provided attachment within the email by using the common shipping terms “arrival notice”, “cargo details” and “cargo manifest”. The language used in the email attempts to add to its legitimacy.</p><p>Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.</p><p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.<a href="#_ftn2">[2]</a></p><p>It is imperative to:</p><ul><li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li><li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li><li>Provide practical guidance on how to identify a potential phishing attempt.</li><li>Use direct communication to verify emails and supply chain email communication.</li><li>Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Blacklists to proactively block cyber-attacks from identified malicious actors.</li></ul><p><strong>About Red Sky Alliance</strong></p><p>Red Sky Alliance is in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or direct assistance, please contact Red Sky directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p><p> </p><p><a href="#_ftnref1">[1]</a><a href="https://www.virustotal.com/en-gb/file/dc55ab2cf3ce10bb3b166a82b6da06eba2c9df3067c331aa2f73aba6063a02f6/analysis/">https://www.virustotal.com/en-gb/file/dc55ab2cf3ce10bb3b166a82b6da06eba2c9df3067c331aa2f73aba6063a02f6/analysis/</a></p><p><a href="#_ftnref2">[2]</a> <a href="https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444">https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444</a></p><p> </p><p>Link to full report PDF: <a href="{{#staticFileLink}}3744324021,original{{/staticFileLink}}">Vessel_Impersonation_TR-19-331-002.pdf</a></p></div>Vessel Impersonation 11 22 2019https://redskyalliance.org/transportation/vessel-impersonation-11-22-20192019-11-22T17:57:19.000Z2019-11-22T17:57:19.000ZAustin Talbothttps://redskyalliance.org/members/AustinTalbot<div><p><strong><a href="{{#staticFileLink}}3730658566,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3730658566,RESIZE_710x{{/staticFileLink}}" alt="3730658566?profile=RESIZE_710x" width="332" height="221" /></a></strong><strong>Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation</strong></p><p>Red Sky Alliance performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this weekly list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages. </p><p><strong>Significant Vessel Keys Words:</strong></p><table width="378"><tbody><tr><td width="84"><p>MT, M/T</p></td><td width="294"><p>merchant tanker</p></td></tr><tr><td width="84"><p>MV, M/V</p></td><td width="294"><p>merchant vessel</p></td></tr><tr><td width="84"><p>MY, M/Y</p></td><td width="294"><p>motor yacht</p></td></tr><tr><td width="84"><p>VLCC</p></td><td width="294"><p>very large crude carrier</p></td></tr><tr><td width="84"><p>ULCC</p></td><td width="294"><p>ultra large crude carrier</p></td></tr><tr><td width="84"><p>RV, R/V</p></td><td width="294"><p>research vessel</p></td></tr><tr><td width="84"><p>FPSO</p></td><td width="294"><p>floating production storage & offloading</p><p> </p></td></tr></tbody></table><p><strong><a href="{{#staticFileLink}}3730648420,original{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3730648420,RESIZE_710x{{/staticFileLink}}" alt="3730648420?profile=RESIZE_710x" width="659" height="294" /></a></strong><span style="font-size:8pt;"><em>Figure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Red Sky Alliance’s malicious email collection.</em></span></p><p><a href="{{#staticFileLink}}3730653640,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3730653640,RESIZE_710x{{/staticFileLink}}" alt="3730653640?profile=RESIZE_710x" width="660" height="306" /></a><span style="font-size:8pt;"><em>Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from malicious email collection.</em></span></p><p><em>Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Red Sky Alliance’s malicious email collection from November 14, 2019 to November 21, 2019.</em></p><table width="636"><tbody><tr><td width="48"><p><strong> </strong></p><p><strong>First Seen</strong></p></td><td width="96"><p><strong> </strong></p><p><strong>Subject Line Used</strong></p></td><td width="198"><p><strong> </strong></p><p><strong>Malware Detections</strong></p></td><td width="192"><p><strong> </strong></p><p><strong>Sending Email</strong></p></td><td width="102"><p><strong> </strong></p><p><strong>Targets</strong></p></td></tr><tr><td width="48"><p>Nov 16, 2019</p></td><td width="96"><p>MV DA TONG YUN VOY 40 WILL CALL/Request of PDA</p></td><td width="198"><p>Exploit:O97M/CVE-2017-8570.APK!MTB - Microsoft</p></td><td width="192"><p>Ops Vandamarine</p><p><operations@vandamarine.com></p></td><td width="102"><p>info@gicom.nl</p></td></tr><tr><td width="48"><p>Nov 18, 2019</p></td><td width="96"><p>MT PROVIDENCE - Dry Docking & Repairs - Request for Quotation from TEREM- SHIPYARD</p></td><td width="198"><p>Trojan:Win32/Wacatac.B!ml - Microsoft</p></td><td width="192"><p><info@avin.gr></p></td><td width="102"><p>info@zaboplant.nl</p></td></tr><tr><td width="48"><p>Nov 18, 2019</p></td><td width="96"><p>Re: MV UBC TARRAGONA - CREW CHANGE REF NO: C19-2251-012</p></td><td width="198"><p>Trojan:Win32/Dynamer!rfn - Microsoft</p></td><td width="192"><p>lsabella Papavasiliou</p><p><ipapavasiliou@intership-cyprus.com></p></td><td width="102"><p>info@gicom.nl</p></td></tr><tr><td width="48"><p>Nov 19, 2019</p></td><td width="96"><p>REQUEST QUOTATION - MT ORIENTAL GLORY</p></td><td width="198"><p>HEUR:Exploit.RTF.CVE-2017-11882.gen - Kaspersky</p></td><td width="192"><p>Nova Marine Carriers SA <ops@novamarinecarriers.com></p></td><td width="102"><p>Targets not reported</p></td></tr><tr><td width="48"><p>Nov 19, 2019</p></td><td width="96"><p>MV TBN // PDA REQUEST</p></td><td width="198"><p>Troj/DownLnk-AK - Sophos AV</p></td><td width="192"><p>Chun An International Logistics Co Ltd <xueruiqi@chunan.com.cn></p></td><td width="102"><p>Targets not reported</p></td></tr></tbody></table><p> </p><p><a href="{{#staticFileLink}}3730666505,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3730666505,RESIZE_710x{{/staticFileLink}}" alt="3730666505?profile=RESIZE_710x" width="710" /></a></p><table width="100%"><tbody><tr><td><p><span style="font-size:8pt;"><em>Figure 3. Marine Traffic results for the Da Tong Vessel</em></span></p></td></tr></tbody></table><p>In the above collections for MV Da Tong, MT Providence, MV UBC Tarragona and others, we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.</p><p>MV Da Tong is an actual general cargo ship operating under the flag of Panama. Analysis reveals that a malicious email was sent to the domain Gicom.nl which registers to the GICOM Composting Systems & Metaalbewerking company. This is a Metal Processing company located in the Netherlands. The malware that was attempted to be sent is Exploit:O97M/CVE-2017-8570.APK!MTB<a href="#_ftn1">[1]</a>. The subject line of the malicious email is: “<strong>MV DA TONG YUN VOY 40 WILL CALL/Request of PDA</strong>”.</p><p>An unsuspecting employee at the GICOM metal processing company would see an email with this Subject Line, possibly tempting them to open the email to see the details of an apparent PDA request. If this malware is delivered, with any of these exploits, any recipient could become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.<a href="{{#staticFileLink}}3730865804,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3730865804,RESIZE_710x{{/staticFileLink}}" alt="3730865804?profile=RESIZE_710x" width="710" /></a></p><table width="100%"><tbody><tr><td><p><span style="font-size:8pt;"><em>Figure 4. MT Providence info from Marinetraffic.com</em></span></p></td></tr></tbody></table><p>In the next example, we see a subject line of: “<strong>MT PROVIDENCE - Dry Docking & Repairs - Request for Quotation from TEREM- SHIPYARD</strong>” The intended target of this malicious email is a domain which also appears to be obfuscated. The MT Providence is a real oil and chemical tanker ship sailing under the flag of Greece, currently sailing, in the Sea of Marmara north of Turkey. At first glance by any recipient of this email, a gas carrier vessel is appearing to request shipping documents. To any employee of a shipping or logistics company that may be expecting the arrival of the MT Providence, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed Trojan:Win32/Wacatac.B!ml malware detected by Microsoft.</p><p>Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.</p><p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.<a href="#_ftn2">[2]</a></p><p>It is imperative to:</p><ul><li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li><li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li><li>Provide practical guidance on how to identify a potential phishing attempt.</li><li>Use direct communication to verify emails and supply chain email communication.</li><li>Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Blacklists to proactively block cyber-attacks from identified malicious actors.</li></ul><p><strong>About Red Sky Alliance</strong></p><p>Red Sky Alliance is in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or direct assistance, please contact Red Sky directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p><p> </p><p><a href="#_ftnref1">[1]</a><a href="https://www.virustotal.com/gui/file/9843c76eab3c1d40ce7b6d5b919270aa69edb55d8dd2d28e7a195d1c9c326d22/detection">https://www.virustotal.com/gui/file/9843c76eab3c1d40ce7b6d5b919270aa69edb55d8dd2d28e7a195d1c9c326d22/detection</a></p><p><a href="#_ftnref2">[2]</a> <a href="https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444">https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444</a></p><p> </p><p>Link to full Vessel Impersonation report: <a href="{{#staticFileLink}}3730926437,original{{/staticFileLink}}">Vessel_Impersonation_TR-19-326-001a.pdf</a></p></div>Vessel Impersonation 11 13 2019https://redskyalliance.org/transportation/vessel-impersonation-11-13-20192019-11-14T18:23:04.000Z2019-11-14T18:23:04.000ZAustin Talbothttps://redskyalliance.org/members/AustinTalbot<div><p><strong><a href="{{#staticFileLink}}3713071510,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3713071510,RESIZE_710x{{/staticFileLink}}" width="374" height="281" alt="3713071510?profile=RESIZE_710x" /></a></strong><strong>Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation</strong></p><p>Red Sky Alliance performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this weekly list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages. </p><p><strong>Significant Vessel Keys Words:</strong></p><table width="378"><tbody><tr><td width="84"><p>MT, M/T</p></td><td width="294"><p>merchant tanker</p></td></tr><tr><td width="84"><p>MV, M/V</p></td><td width="294"><p>merchant vessel</p></td></tr><tr><td width="84"><p>MY, M/Y</p></td><td width="294"><p>motor yacht</p></td></tr><tr><td width="84"><p>VLCC</p></td><td width="294"><p>very large crude carrier</p></td></tr><tr><td width="84"><p>ULCC</p></td><td width="294"><p>ultra large crude carrier</p></td></tr><tr><td width="84"><p>RV, R/V</p></td><td width="294"><p>research vessel</p></td></tr><tr><td width="84"><p>FPSO</p></td><td width="294"><p>floating production storage & offloading</p></td></tr></tbody></table><p><strong><a href="{{#staticFileLink}}3713077172,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3713077172,RESIZE_710x{{/staticFileLink}}" width="661" height="286" alt="3713077172?profile=RESIZE_710x" /></a></strong><span style="font-size:10pt;"><em>Figure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Red Sky Alliance’s malicious email collection.</em></span></p><p><a href="{{#staticFileLink}}3713078050,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3713078050,RESIZE_710x{{/staticFileLink}}" width="664" height="265" alt="3713078050?profile=RESIZE_710x" /></a><em>Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from malicious email collection.</em></p><p><em>Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Red Sky Alliance’s malicious email collection from November 7, 2019 to November 13, 2019.</em></p><table width="636"><tbody><tr><td width="48"><p><strong> </strong></p><p><strong>First Seen</strong></p></td><td width="96"><p><strong> </strong></p><p><strong>Subject Line Used</strong></p></td><td width="204"><p><strong> </strong></p><p><strong>Malware Detections</strong></p></td><td width="168"><p><strong> </strong></p><p><strong>Sending Email</strong></p></td><td width="120"><p><strong> </strong></p><p><strong>Targets</strong></p></td></tr><tr><td width="48"><p>Nov 8, 2019</p></td><td width="96"><p>MV LE MIN VOY1793 CALLING FOR DISCHARGING</p></td><td width="204"><p>Trojan:Script/Oneeva.A!ml - Microsoft</p></td><td width="168"><p>Mr.YANG Hao Lin</p><p><e38494@6a68cebaf9.cn></p></td><td width="120"><p>25df9</p><p>910ac430f.com</p></td></tr><tr><td width="48"><p>Nov 8, 2019</p></td><td width="96"><p>MV HAESUNG TBN EPDA REQUEST</p></td><td width="204"><p>HEUR:Trojan-Downloader.VBS.Agent.gen - Kaspersky</p></td><td width="168"><p>ARLYN</p><p><07a3d@269f1adc6cbaf.ph></p></td><td width="120"><p>25df9</p><p>910ac430f.com</p></td></tr><tr><td width="48"><p>Nov 9, 2019</p></td><td width="96"><p>AGENT NOMINATION - MV. COLUMBA / SEA NET - LDG 50,000MT 12% MOLOO OF LIME STONE IN BULK</p></td><td width="204"><p>HEUR:TrojanDownloader.VBS.Agent.gen - Kaspersky</p></td><td width="168"><p>SEA NET SHIPPING CO., LTD. <64ab97@c40afec6eef1f9030.kr></p></td><td width="120"><p>caf9</p><p>bf46355dca3e5df3.com</p><p> </p><p> </p></td></tr></tbody></table><p> <a href="{{#staticFileLink}}3713075752,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3713075752,RESIZE_710x{{/staticFileLink}}" width="710" alt="3713075752?profile=RESIZE_710x" /></a></p><table width="100%"><tbody><tr><td><p><span style="font-size:8pt;"><em>Figure 3. Marine Traffic results for the Le Min Vessel</em></span></p></td></tr></tbody></table><p>In the above collections for MV Le Min, MV Haesung and MV Columba we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.</p><p>MV Le Min is an actual general cargo ship operating under the flag of China. Analysis reveals that a malicious email was sent to at least one domain that appears to be obfuscated. The malware that was attempted to be sent is Trojan:Script/Oneeva.A!ml<a href="#_ftn1">[1]</a>. The subject line of the malicious email is: “<strong>MV LE MIN VOY1793 CALLING FOR DISCHARGING</strong>”.</p><p>An unsuspecting employee at any company receiving this email address would see an email with this Subject Line, possibly tempting them to open the email to see the details of an apparent call for discharge. If this malware is delivered, with any of these exploits, any recipient could become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.</p><p><a href="{{#staticFileLink}}3713080557,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3713080557,RESIZE_710x{{/staticFileLink}}" width="710" alt="3713080557?profile=RESIZE_710x" /></a></p><table width="100%"><tbody><tr><td><p><span style="font-size:8pt;"><em>Figure 4. Haesung info from Marinetraffic.com</em></span></p></td></tr></tbody></table><p>In another example, we see a subject line of: “<strong>MV HAESUNG TBN EPDA REQUEST</strong>” The intended target of this malicious email is a domain which also appears to be obfuscated. The MV Haesung is a real gas carrier ship sailing under the flag of Korea, currently docked near Seoul, South Korea. At first glance by any recipient of this email, a gas carrier vessel is appearing to request shipping documents. To any employee of a shipping or logistics company that may be expecting the arrival of the MV Haesung, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed HEUR:Trojan-Downloader.VBS.Agent.gen malware detected by Kaspersky.</p><p>Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky AllianceRedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.</p><p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.<a href="#_ftn2">[2]</a></p><p>It is imperative to:</p><ul><li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li><li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li><li>Provide practical guidance on how to identify a potential phishing attempt.</li><li>Use direct communication to verify emails and supply chain email communication.</li><li>Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Blacklists to proactively block cyber attacks from identified malicious actors.</li></ul><p><strong> </strong></p><p><strong>About Red Sky Alliance</strong></p><p>Red Sky Alliance is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.</p><p> </p><p><a href="#_ftnref1">[1]</a><a href="https://www.virustotal.com/gui/file/ea12e0b292675f24533ce0f05949288d9c6617814eee206035392ccb9b91f6ba/detection">https://www.virustotal.com/gui/file/ea12e0b292675f24533ce0f05949288d9c6617814eee206035392ccb9b91f6ba/detection</a></p><p><a href="#_ftnref2">[2]</a> <a href="https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444">https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444</a></p></div>Vessel Impersonation 11 07 2019https://redskyalliance.org/transportation/vessel-impersonation-11-07-20192019-11-08T13:57:53.000Z2019-11-08T13:57:53.000ZAustin Talbothttps://redskyalliance.org/members/AustinTalbot<div><p><strong><a href="{{#staticFileLink}}3703418244,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3703418244,RESIZE_710x{{/staticFileLink}}" width="349" height="216" alt="3703418244?profile=RESIZE_710x" /></a></strong><strong>Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation</strong></p><p>Red Sky Alliance performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this weekly list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages. </p><p><strong>Significant Vessel Keys Words:</strong></p><table width="378"><tbody><tr><td width="84"><p>MT, M/T</p></td><td width="294"><p>merchant tanker</p></td></tr><tr><td width="84"><p>MV, M/V</p></td><td width="294"><p>merchant vessel</p></td></tr><tr><td width="84"><p>MY, M/Y</p></td><td width="294"><p>motor yacht</p></td></tr><tr><td width="84"><p>VLCC</p></td><td width="294"><p>very large crude carrier</p></td></tr><tr><td width="84"><p>ULCC</p></td><td width="294"><p>ultra large crude carrier</p></td></tr><tr><td width="84"><p>RV, R/V</p></td><td width="294"><p>research vessel</p></td></tr><tr><td width="84"><p>FPSO</p></td><td width="294"><p>floating production storage & offloading</p></td></tr></tbody></table><p><strong><a href="{{#staticFileLink}}3703389996,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3703389996,RESIZE_710x{{/staticFileLink}}" alt="3703389996?profile=RESIZE_710x" width="710" /></a></strong><em>Figure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Red Sky Alliance’s malicious email collection.</em></p><p><a href="{{#staticFileLink}}3703393116,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3703393116,RESIZE_710x{{/staticFileLink}}" alt="3703393116?profile=RESIZE_710x" width="710" /></a><em>Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from malicious email collection.</em></p><p><em>Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Red Sky Alliance’s malicious email collection from November 1, 2019 to November 7, 2019.</em></p><table width="636"><tbody><tr><td width="60"><p><strong> </strong></p><p><strong>First Seen</strong></p></td><td width="84"><p><strong> </strong></p><p><strong>Subject Line Used</strong></p></td><td width="216"><p><strong> </strong></p><p><strong>Malware Detections</strong></p></td><td width="180"><p><strong> </strong></p><p><strong>Sending Email</strong></p></td><td width="96"><p><strong> </strong></p><p><strong>Targets</strong></p></td></tr><tr><td width="60"><p>Nov 4, 2019</p></td><td width="84"><p>RE : MV SERIANA voy-32 possibility discharging of H.F.O</p></td><td width="216"><p>Trojan:Win32/Azorult.PA!MTB - Microsoft</p></td><td width="180"><p>"CHUBU KAIUN KAISHA, LTD." <ckk_agency@sankyu.co.jp></p></td><td width="96"><p>railquip.com.au</p></td></tr><tr><td width="60"><p>Nov 4, 2019</p></td><td width="84"><p>MV SUN GRACE / Port Agency Appointment</p></td><td width="216"><p>Trojan.Win32.Agentb.jrem - Kaspersky</p></td><td width="180"><p>"CHIBA MARINE KOREA CO., LTD"</p><p><cmhk@chibamarine.kr></p></td><td width="96"><p>railquip.com.au</p></td></tr><tr><td width="60"><p>Nov 4, 2019</p></td><td width="84"><p>MV TOROS-M//DRAFT SHIPPING DOCUMENTS</p></td><td width="216"><p>HEUR:Exploit.MSOffice.Generic - Kaspersky</p></td><td width="180"><p>"Standard Shipping Co., Ltd"</p><p><skim@standardshipping.co.kr></p></td><td width="96"><p>korealogistics.kr</p></td></tr></tbody></table><table style="height:22px;width:99.504%;" width="1003"><tbody><tr><td><p> </p></td></tr></tbody></table><p>In the above collections for MV Seriana, MV Sun Grace and MV Toros M we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.</p><p><a href="{{#staticFileLink}}3703396486,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3703396486,RESIZE_710x{{/staticFileLink}}" alt="3703396486?profile=RESIZE_710x" width="633" height="263" /></a><span style="font-size:8pt;"><em>Figure 3. Marine Traffic results for the Seriana Vessel</em></span></p><p>MV Seriana is an actual oil and chemical tanker operating under the flag of Malta, an island country located south of Italy. Analysis reveals that a malicious email was sent to the domain railquip.com.au, which is owned by the Australian branch of the company Railquip Inc., a manufacturer of transportation and portable hydraulic rerailing equipment. The malware that was attempted to be sent to this company is Trojan:Win32/Azorult.PA!MTB<a href="#_ftn1">[1]</a>. The subject line of the malicious email is: “<strong>RE : MV SERIANA voy-32 possibility discharging of H.F.O</strong>”.<a href="{{#staticFileLink}}3703401678,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3703401678,RESIZE_710x{{/staticFileLink}}" alt="3703401678?profile=RESIZE_710x" width="614" height="443" /></a></p><table width="100%"><tbody><tr><td><p><span style="font-size:8pt;"><em>Figure 4. Website for Railquip, Inc.</em></span></p><p>An unsuspecting employee at Railquip, Inc. would see an email with this Subject Line, possibly tempting them to open the email to see the details of an apparent heavy fuel oil discharge. If this malware is delivered, with any of these exploits, the chemical company could then become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.</p></td></tr></tbody></table><table style="height:318px;width:99.4048%;" width="1002"><tbody><tr style="height:59px;"><td style="height:59px;"><p><a href="{{#staticFileLink}}3703406391,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3703406391,RESIZE_710x{{/staticFileLink}}" alt="3703406391?profile=RESIZE_710x" width="629" height="272" /></a><span style="font-size:8pt;"><em>Figure 5. MV Toros M info from Marinetraffic.com</em></span></p></td></tr></tbody></table><p>In another example, we see a subject line of: “<strong>MV TOROS-M//DRAFT SHIPPING DOCUMENTS</strong>” The intended targets of this malicious email was a Korean logistics company / provider. The MV Toros M is a real bulk carrier vessel sailing under the flag of Panama, currently sailing in the Red Sea West of Saudi Arabia. At first glance by any recipient of this email, a bulk carrier vessel is appearing to provide shipping documents. To any employee of a shipping or logistics company expecting that may be expecting the arrival of the MV Toros M, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed HEUR:Exploit.MSOffice.Generic malware detected by Kaspersky.</p><p>Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky AllianceRedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.</p><p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.<a href="#_ftn2">[2]</a></p><p>It is imperative to:</p><ul><li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li><li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li><li>Provide practical guidance on how to identify a potential phishing attempt.</li><li>Use direct communication to verify emails and supply chain email communication.</li><li>Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Blacklists to proactively block cyber attacks from identified malicious actors.</li></ul><p><strong> </strong></p><p><strong>About Red Sky Alliance</strong></p><p>Red Sky Alliance is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.</p><p> </p><p><a href="#_ftnref1">[1]</a><a href="https://virustotal.com/en/file/46a06dac0c3ebe022ebd49de717653cb1fd4c4d5fc49756b87ac9d0d19f21890/analysis/">https://virustotal.com/en/file/46a06dac0c3ebe022ebd49de717653cb1fd4c4d5fc49756b87ac9d0d19f21890/analysis/</a></p><p><a href="#_ftnref2">[2]</a> <a href="https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444">https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444</a></p></div>Vessel Impersonation 11 01 2019https://redskyalliance.org/transportation/vessel-impersonation-11-01-20192019-11-01T17:37:20.000Z2019-11-01T17:37:20.000ZAustin Talbothttps://redskyalliance.org/members/AustinTalbot<div><p><strong><a href="{{#staticFileLink}}3692200640,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3692200640,RESIZE_710x{{/staticFileLink}}" width="315" height="237" alt="3692200640?profile=RESIZE_710x" /></a></strong><strong>Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation</strong></p><p>Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages. </p><p><strong>Significant Vessel Keys Words:</strong></p><table width="378"><tbody><tr><td width="84"><p>MT, M/T</p></td><td width="294"><p>merchant tanker</p></td></tr><tr><td width="84"><p>MV, M/V</p></td><td width="294"><p>merchant vessel</p></td></tr><tr><td width="84"><p>MY, M/Y</p></td><td width="294"><p>motor yacht</p></td></tr><tr><td width="84"><p>VLCC</p></td><td width="294"><p>very large crude carrier</p></td></tr><tr><td width="84"><p>ULCC</p></td><td width="294"><p>ultra large crude carrier</p></td></tr><tr><td width="84"><p>RV, R/V</p></td><td width="294"><p>research vessel</p></td></tr><tr><td width="84"><p>FPSO</p></td><td width="294"><p>floating production storage & offloading</p></td></tr></tbody></table><p><strong><a href="{{#staticFileLink}}3692177858,original{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3692177858,RESIZE_710x{{/staticFileLink}}" width="710" alt="3692177858?profile=RESIZE_710x" /></a></strong>Figure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.</p><p><a href="{{#staticFileLink}}3692178521,original{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3692178521,RESIZE_710x{{/staticFileLink}}" width="710" alt="3692178521?profile=RESIZE_710x" /></a>Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.</p><p><em>Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from October 25, 2019 to November 1, 2019.</em></p><table width="636"><tbody><tr><td width="60"><p><strong> </strong></p><p><strong>First Seen</strong></p></td><td width="84"><p><strong> </strong></p><p><strong>Subject Line Used</strong></p></td><td width="210"><p><strong> </strong></p><p><strong>Malware Detection</strong></p></td><td width="174"><p><strong> </strong></p><p><strong>Sending Email</strong></p></td><td width="108"><p><strong> </strong></p><p><strong>Targets</strong></p></td></tr><tr><td width="60"><p>October 27th 2019</p></td><td width="84"><p>Delivered: Re: M/T Eleanna</p></td><td width="210"><p>TrojanDownloader:O97M/Emotet.OU!MTB -</p><p>Microsoft</p></td><td width="174"><p>\"smugica@smprevencio.com\" <sales1@microcomm.com.sg></p></td><td width="108"><p>relay2.station12.com</p><p> </p><p>brts.barracuda.com</p><p> </p><p>amosconnect.com</p><p> </p><p>microcomm.com.sg</p><p> </p><p>cloudmail101.zonecybersite.com</p><p> </p><p>spamexpertfilterw.mschosting.com</p></td></tr><tr><td width="60"><p>October 27th 2019</p></td><td width="84"><p>Request PDA - MV Tasmanic Winter - V 075 / Discharging</p></td><td width="210"><p>Trojan:Script/Oneeva.A!ml - Microsoft</p><p> </p></td><td width="174"><p>\"COSCO SHIPPING BULK CO\" <1f02726728@a5eeea0a73a.com></p></td><td width="108"><p>a5eeea0a73a.com</p><p> </p><p>c2634.net</p><p> </p><p> </p><p> </p></td></tr></tbody></table><table width="100%"><tbody><tr><td><p> </p></td></tr></tbody></table><p>In the above collections for MT Eleanna and MV Tasmanic Winter we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.</p><p><a href="{{#staticFileLink}}3692181594,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3692181594,RESIZE_710x{{/staticFileLink}}" width="710" height="296" alt="3692181594?profile=RESIZE_710x" /></a><span style="font-size:8pt;"><em>Figure 3. Marine Traffic results for MT Eleanna</em></span></p><p>MT Eleanna is an actual oil and chemical tanker operating under the flag of Panama. Analysis reveals that a malicious email was sent to multiple domains registering to telecommunications and web hosting companies. The malware that was attempted to be sent to these companies is TrojanDownloader:O97M/Emotet.OU!MTB<a href="#_ftn1">[1]</a>, which is a popular banking trojan. The subject line of the malicious email is: “<strong>Delivered: Re: M/T Eleanna</strong>”.</p><table style="height:10px;width:75.9921%;" width="940"><tbody><tr><td> </td></tr></tbody></table><p>An unsuspecting employee at one of these web hosting companies would see an email with this Subject Line and see the word “Delivery” possibly tempting them to open the email to see the details of an apparent delivery. One of the domains observed to be targeted is amosconnect.com which is the website for the AmosConnect Software by Stratos Global. The AmosConnect software is an e-mail service that uses satellite connections for communication and as such sees much use in the maritime industry onboard vessels. If this malware is delivered, with any of these exploits, the company, or potentially the AmosConnect email service could then become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.</p><p><a href="{{#staticFileLink}}3692198587,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3692198587,RESIZE_710x{{/staticFileLink}}" width="463" height="379" alt="3692198587?profile=RESIZE_710x" /></a><span style="font-size:8pt;"><em>Figure 4. Website for the AmosConnect software from Stratos Global</em></span></p><table style="height:29px;width:95.1389%;" width="959"><tbody><tr><td> </td></tr></tbody></table><p>In the second example, we see a subject line of: “<strong>Request PDA - MV Tasmanic Winter - V075/ Discharging</strong>”. The intended targets of this malicious email were two domains that appear to be obfuscated. The MV Tasmanic Winter is a real American flagged general cargo ship currently sailing in the English Channel just north of France. At first glance by any recipient of this email, an American cargo ship is requesting shipping documents. To any employee of a shipping company expecting the arrival of the MV Tasmanic Winter, this would appear to be a legitimate email and would likely entice them to click on the email and thus download malware like the listed Trojan:Script/Oneeva.A!ml malware detected by Microsoft’s Antivirus.</p><p><span style="font-size:8pt;"><em><a href="{{#staticFileLink}}3692188596,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3692188596,RESIZE_710x{{/staticFileLink}}" width="710" alt="3692188596?profile=RESIZE_710x" /></a></em></span><span style="font-size:8pt;"><em>Figure 5. MV Tasmanic Winter info from Marinetraffic.com</em></span></p><p>Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Wapack Labs RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts are beginning to see maritime-specific examples of these attacks. A recent incident in the Gulf of Guinea saw cyber criminals send spoof emails requesting a cargo manifest, with a view to possibly attacking the vessel and targeting the containers with the highest-value contents. </p><p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.<a href="#_ftn2">[2]</a></p><p>It is imperative to:</p><ul><li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li><li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li><li>Provide practical guidance on how to identify a potential phishing attempt.</li><li>Use direct communication to verify emails and supply chain email communication.</li><li>Use Wapack Labs RedXray proactive support, our Vessel impersonation information and use the Maritime Blacklists to proactively block cyber attacks from identified malicious actors.</li></ul><p><strong> </strong></p><p><strong>About Wapack Labs </strong></p><p>Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.</p><p> </p><p><a href="#_ftnref1">[1]</a><a href="https://www.virustotal.com/gui/file/97850a2cb486e962b0aa0f66d37212a71e0c14a9de4dc489fce8c34c2e907b5b/detection">https://www.virustotal.com/gui/file/97850a2cb486e962b0aa0f66d37212a71e0c14a9de4dc489fce8c34c2e907b5b/detection</a></p><p><a href="#_ftnref2">[2]</a> <a href="https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444">https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444</a></p></div>Vessel Impersonation 10 25 2019https://redskyalliance.org/transportation/vessel-impersonation-10-25-20192019-10-25T19:43:48.000Z2019-10-25T19:43:48.000ZAustin Talbothttps://redskyalliance.org/members/AustinTalbot<div><p><strong><a href="{{#staticFileLink}}3680034715,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3680034715,RESIZE_710x{{/staticFileLink}}" width="309" height="216" alt="3680034715?profile=RESIZE_710x" /></a></strong><strong>Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation</strong></p><p>Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages. </p><p><strong>Significant Vessel Keys Words:</strong></p><table width="378"><tbody><tr><td width="84"><p>MT, M/T</p></td><td width="294"><p>merchant tanker</p></td></tr><tr><td width="84"><p>MV, M/V</p></td><td width="294"><p>merchant vessel</p></td></tr><tr><td width="84"><p>MY, M/Y</p></td><td width="294"><p>motor yacht</p></td></tr><tr><td width="84"><p>VLCC</p></td><td width="294"><p>very large crude carrier</p></td></tr><tr><td width="84"><p>ULCC</p></td><td width="294"><p>ultra large crude carrier</p></td></tr><tr><td width="84"><p>RV, R/V</p></td><td width="294"><p>research vessel</p></td></tr><tr><td width="84"><p>FPSO</p></td><td width="294"><p>floating production storage & offloading</p></td></tr></tbody></table><p><strong><a href="{{#staticFileLink}}3680027844,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3680027844,RESIZE_710x{{/staticFileLink}}" width="710" alt="3680027844?profile=RESIZE_710x" /></a></strong><em>Figure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.</em></p><p><a href="{{#staticFileLink}}3680028042,RESIZE_930x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3680028042,RESIZE_710x{{/staticFileLink}}" width="710" alt="3680028042?profile=RESIZE_710x" /></a><em>Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.</em></p><p><em>Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from October 17, 2019 to October 25, 2019.</em></p><table width="630"><tbody><tr><td width="66"><p><strong> </strong></p><p><strong>First Seen</strong></p></td><td width="84"><p><strong> </strong></p><p><strong>Subject Line Used</strong></p></td><td width="198"><p><strong> </strong></p><p><strong>Malware Detections</strong></p></td><td width="156"><p><strong> </strong></p><p><strong>Sending Email</strong></p></td><td width="126"><p><strong> </strong></p><p><strong>Targets</strong></p></td></tr><tr><td width="66"><p>October 17th 2019</p></td><td width="84"><p>ARRIVAL NOTICE // MINH DUC // M/V INVICTA 002S ETA 18 OCT</p></td><td width="198"><p>CAT-QuickHeal - Exp.RTF.Obfus.Gen</p><p> </p><p>NANO-Antivirus - Exploit.Rtf.Heuristic-rtf.dinbqn</p><p> </p><p>Ikarus - Exploit.RTF.Doc</p><p> </p><p>DrWeb - Exploit.Rtf.CVE2012-0158</p><p> </p><p>Cyren - RTF/Agent.DZ</p></td><td width="156"><p>HUMANE>hmlx.co.kr <bjh@teramicro.co.kr></p></td><td width="126"><p>dwchem.co.kr</p><p> </p><p>hmlx.co.kr</p><p> </p><p>teramicro.co.kr</p><p> </p><p>fastfreight.co.th</p></td></tr><tr><td width="66"><p>October 17th 2019</p></td><td width="84"><p>Urgent Quotation No.:23611472 : REQUISITION 047ENG/110/19- M/V Eagle</p></td><td width="198"><p>Exp.RTF.Obfus.Gen - CAT-QuickHeal</p><p> </p><p>NANO-Antivirus - Exploit.Rtf.Heuristic-rtf.dinbqn</p><p> </p><p>Cyren - RTF/Agent.DZ</p><p> </p><p>Zoner - Probably RTFObfuscationD</p><p> </p><p>DrWeb - Exploit.Rtf.CVE2012-0158</p><p> </p><p>Ikarus - Exploit.RTF.Doc</p><p> </p><p>Kaspersky - HEUR:Exploit.RTF.CVE-2017-11882.gen</p></td><td width="156"><p>Y.Jang- EH ENGI <tacdmk4@transaircargo.com></p></td><td width="126"><p>relay2.thaicloudsolutions.com</p><p> </p><p>choctaw.org</p><p> </p><p>eheng.co.kr</p><p> </p><p>redcondor.net</p><p> </p><p>transaircargo.com</p><p> </p><p> </p><p> </p></td></tr><tr><td width="66"><p>October 21st 2019</p></td><td width="84"><p>RE: M.T. SWAN BALIC Q060005531 - 0611126</p></td><td width="198"><p>Mal/DrodZp-A - Sophos</p><p> </p><p>BitDefender - Trojan.SpamMalware-RAR.Gen</p><p> </p><p>McAfee - Artemis!C8BE2E68AE1F</p><p> </p><p>Kaspersky - HEUR:Trojan.Script.Generic</p><p> </p><p>Microsoft - Trojan:Win32/Conteban.B!ml</p><p> </p><p>GData - Trojan.SpamMalware-RAR.Gen</p><p> </p><p>Arcabit - Trojan.SpamMalware-RAR.Gen</p></td><td width="156"><p>\"BALTIC SHIP SERVICES (S) PTE LTD\" <agency@balticgrp.com></p></td><td width="126"><p>ve1eur03ft004.eop-eur03.prod.protection.outlook.com</p><p> </p><p>balticgrp.com</p><p> </p><p>server15116.comalis.net</p><p> </p><p>am6p192ca0028.eurp192.prod.outlook.com</p><p> </p><p>srv3016.sd-france.ne</p></td></tr><tr><td width="66"><p>October 21st 2019</p></td><td width="84"><p>ARRIVAL NOTICE//MV OCEAN TRADER</p></td><td width="198"><p>TrendMicro -Trojan.X97M.CVE201711882.PVSGP</p><p> </p><p>Kaspersky -</p><p>HEUR:Exploit.MSOffice.Generic</p><p> </p><p>ClamAV - Doc.Dropper.Agent-7343801-0</p><p> </p><p>Sophos - Exp/20180802-B</p><p> </p><p>ZoneAlarm -HEUR:Exploit.MSOffice.Generic</p></td><td width="156"><p>Andres Felipe Arias Jimenez (Oficina de Informatica)</p><p><afarias@ideam.gov.co></p></td><td width="126"><p>ideam.gov.co</p></td></tr></tbody></table><p>In the above collections for MV Invicta, MV Eagle, MT Swan Balic and MV Ocean Trader we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.</p><p><a href="{{#staticFileLink}}3680037527,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3680037527,RESIZE_710x{{/staticFileLink}}" width="320" height="349" alt="3680037527?profile=RESIZE_710x" /></a></p><table width="100%"><tbody><tr><td><p><em>Figure 3. Marine Traffic results for M/V Invicta</em></p></td></tr></tbody></table><p>MV Invicta is an actual container ship operating under the flag of the Marshall Islands, located in the Pacific Ocean. Analysis reveals that an email was sent to: dwchem.co.kr. This domain name is registered to Dongwoo Fine-Chem Co. located in South Korea and operates as a developer and manufacturer of semi-conductor chemicals. The Company produces hydrogen peroxide, sulphuric acid and other chemicals and provides these products for the cleaning and etching processes of semi-conductor manufacturing. The malware that was attempted to be sent to Dongwoo is Exploit.Rtf.CVE2012-0158<a href="#_ftn1">[1]</a>, which is malware that attempts to exploit vulnerabilities in Microsoft Office. The subject line of the malicious email is: “<strong>ARRIVAL NOTICE // MINH DUC // M/V INVICTA 002S ETA 18 OCT</strong>”.</p><p><a href="{{#staticFileLink}}3680041202,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3680041202,RESIZE_710x{{/staticFileLink}}" width="548" height="225" alt="3680041202?profile=RESIZE_710x" /></a>An unsuspecting employee at the Dongwoo Fine-Chem company, would see an email with this Subject Line from a legitimate container ship, the MV INVICTA, and then may be tempted to open the email to see the details of the container ships apparent arrival. If this malware is delivered, with any of these exploits, the chemical company could then become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.</p><p> <a href="{{#staticFileLink}}3680043186,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}3680043186,RESIZE_710x{{/staticFileLink}}" width="686" height="310" alt="3680043186?profile=RESIZE_710x" /></a></p><table width="100%"><tbody><tr><td><p><em>Figure 4. MV Eagle info from Marinetraffic.com</em></p></td></tr></tbody></table><p>In the second example, we see a subject line of: “<strong>Urgent Quotation No.:23611472 :REQUISITION 047ENG/110/19- M/V Eagle</strong>”. The intended target was the EH Engineering Co. in South Korea. The MV Eagle is a real Norwegian flagged cruise ship and EH Engineering Co. is a legitimate engineering company specializing in providing engineering solutions for the maritime industry. At first glance by an employee at EH Engineering, it would appear that a heavy load carrier ship is sending an urgent quotation. This could mean a business opportunity and would likely entice an unsuspecting employee to click on the email and thus download malware like the listed HEUR:Exploit.RTF.CVE-2017-11882.gen, detected by Kaspersky.</p><p>Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Wapack Labs RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Black Lists offers a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts are beginning to see maritime-specific examples of these attacks. A recent incident in the Gulf of Guinea saw cyber criminals send spoof emails requesting a cargo manifest, with a view to possibly attacking the vessel and targeting the containers with the highest-value contents. </p><p>The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.<a href="#_ftn2">[2]</a></p><p>It is imperative to:</p><ul><li>Train all levels of the marine supply chain to realize they are under constant cyber-attack.</li><li>Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.</li><li>Provide practical guidance on how to identify a potential phishing attempt.</li><li>Use direct communication to verify emails and supply chain email communication.</li><li>Use Wapack Labs RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.</li></ul><p><strong> </strong></p><p><strong>About Wapack Labs </strong></p><p>Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.</p><p> </p><p><a href="#_ftnref1">[1]</a><a href="https://www.virustotal.com/gui/file/509db5337a1e95bf43d05c8342aa58520d41e56bf255ceffdba9ff82b9c498d5/detection">https://www.virustotal.com/gui/file/509db5337a1e95bf43d05c8342aa58520d41e56bf255ceffdba9ff82b9c498d5/detection</a></p><p><a href="#_ftnref2">[2]</a> <a href="https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444">https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444</a></p></div>