This week Red Sky Alliance observed a spike in vessel impersonation traffic attempting to deliver a single malware strain: MSOffice/CVE_2017_11882.A!exploit
In the above collections for MV Da Tong Yun and MT Mina Deniz we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.
MV Da Tong Yun is a General Cargo Vessel under the Hong Kong flag. Analysis reveals that a malicious email was sent to an unreported domain with a subject line of: “MV DA TONG YUN VOY 40 /Request of PDA” and an attachment identified by Fortinet as the MSOffice/CVE_2017_11882.A!exploit malware [1].
An unsuspecting employee receiving this email would see nothing out of the ordinary in the Subject Line, which may cause them to open the email. The body of the email message entices the recipient to open the attached document which would trigger malware delivery. Opening any infected email, could cause a recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities, shore companies, and/or other organizations in the maritime supply chain with additional malware.
In other examples, we see variations of the subject line: “MT \"MINA DENIZ\" - AGENCY APPOINTMENT” The MT MINA DENIZ is an oil/chemical tanker under the Marshall Islands flag, currently en route to the port of Fos-sur-Mer, France. These emails would likely appear to be legitimate and entice the recipient to open the attached document and thus trigger the malware.
MSOffice/CVE_2017_11882.A!exploit malware is designed to exploit a vulnerability in Microsoft Office products to launch itself without the users knowledge or authorization by simply opening an infected document. The malware also has the capability to download additional malware from an attacker-controlled Internet site to steal information such as banking information or login credentials.
In the contents of the email using the subject line “MT \"MINA DENIZ\" - AGENCY APPOINTMENT” we see the author of the malicious email enticing the recipient to open an attachment. However, doing so could trigger the attached malware to be installed. The email “importance” flag is set to High, which usually causes email client software to display a visual indicator to tell the user it is a high priority message. The language used in the email uses some maritime terms, such as “q88” and “proforma DA” to help bolster its legitimacy.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.[2]
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to identify a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Blacklists to proactively block cyber-attacks from identified malicious actors.
Link to full report: TR-19-353-002_Vessel_Impersonation.pdf
Link to 12 19 2019 Maritime Watchlist: TR-19-353-001_20191219_maritime_watchlist.csv
Link to Top 5 Maritime Watchlist Indicators: WR-19-353-001_Top_5_Watchlist_Results.pdf
[1]https://virustotal.com/en/file/e2ddaf4b7dcc9bcaf0875cf4299026c43567f866c02d105a76fe20b361ef94f6/analysis/
[2] https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444
Comments