10944152087?profile=RESIZE_400x

 

Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, ports and the entire Transportation Supply Chain.  Full report download available here.

 

 

Significant Vessel Keys Words:

10944152453?profile=RESIZE_710x

 

 

 

 

 

 10944151658?profile=RESIZE_710x

Figure 1. Map displaying location of attacker domains

10944151277?profile=RESIZE_710x

Figure 2. Map displaying location of victim domains

10944150893?profile=RESIZE_710x

Figure 3. Distribution of attacker and target domains

10944151058?profile=RESIZE_710x

Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full Table Attached.

Analysis

The five most common subject lines seen in our recent query are as follows:

  • Shipment & Container Tracking - Maersk-Info
  • RE: Air freight from EXW China
  • (PDA ENQUIRY)MV RMC - DISCHARGE ABT 52000MT +- 10% PETCOKE
  • PUSH INQUIRY FOR MV TRUMP SW
  • MV SEA DREAM / LOADING ALUMINA - AGENT NOMINATION

10944152858?profile=RESIZE_400x

 

There are several themes represented by the subject lines seen.  Specifically, we can see shipping and tracking notifications, freight notifications, proforma disbursement inquiries, and loading notifications.  These emails are seen to utilize common terminology to establish credibility.  This credibility can make for a solid lure.  In terms of the sending emails themselves, we can see impersonations of companies in many industries.  Notably, we see port groups associated with Singapore and Antwerp, port network operators, and transport companies.

In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels.  Some of the vessels being impersonated by these emails include the following:

 

 

  • Efendi Baba, which is a container ship that has not been in service since 2017
  • Kai Jie, which is a general cargo ship that is en route to HK CN and is currently sailing under the flag of Hong Kong
  • Kharis Pegasus (pictured at beginning of report), which is a general cargo ship en route to Hong Kong and is currently sailing under the flag of Korea
  • Trump SW, which is a bulk carrier en route to Cua Lo and is currently sailing under the flag of Panama
  • Sevval (pictured above), which is a general cargo ship en route to Volos, Greece and is currently sailing under the flag of Vanuatu.

As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.

The top five most prevalent malware detections associated with these emails are as follows:

  • W32/MSIL_Kryptik.INW.gen!Eldorado – Cyren
  • Phishing.44391 - CAT-QuickHeal
  • MSIL/Kryptik.AHBB!tr – Fortinet
  • Gen:Variant.Lazy.272801 – FireEye
  • JS:Trojan.Cryxos.8250 - VIPRE

MSIL variant trojans are among the most spotted detections, much like previous months.  We have been seeing these trojan variants since 2018.  This family of trojans tends to manifest as software meant for stealing passwords from web browsers or logging keystrokes.  As we generally note, these emails are generally used to attempt the propagation of generic trojans like Gen:Variant.Lazy.272801.  Trojans marked with the Gen:Variant.Lazy indicator we have been seeing for approximately one year, with a heavy detection rate during July of 2022.  We have only been seeing emails associated with HTML.Phishing.44391 since early 2022.  HTML.Phishing variant trojans are often associated with browser manipulations that force redirects to malicious web pages.  Cryxos variant trojans we have been seeing in malicious emails for several years.  These types of trojans are typically associated with fraudulent messages being displayed to users regarding browser “blockage” and attempting to get users to call fraudulent customer support lines.

Supply Chain Spoofing

By querying our data with numerous important supply chain keywords, we can also extract some more general supply chain related malicious emails.  The five most prevalent subject lines seen with a general supply chain focus are as follows:

  • Shipment Confirmation:Final Invoice,Packing List & BL Has arrived
  • DHL Shipping Document/Invoice Receipt
  • Re RE: Commercial Invoice And Packing List
  • QUOTE ATTACHED PURCHASE ORDER
  • Invoice

Much like the maritime related emails, we can see a number of themes emerge in the subject lines of these malicious emails.  Specifically, we can see requests for shipping confirmation, invoice notifications, purchase orders and packaging lists.  In terms of impersonation or spoofing, we can see obvious links to shipping companies like DHL, along with international logistics management providers, tool manufacturers, automotive logistics providers, freight forwarders, and even a Pennsylvania-based law firm.

10944149100?profile=RESIZE_710x

Table 2: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full Table Attached.

The five most prevalent detections associated with these emails are as follows:

  • HEUR:Hoax.HTML.Phish.gen – Kaspersky
  • FishForm.408 – DrWeb
  • HTML.Doc – Ikarus
  • JS:Trojan.Cryxos.10614 – FireEye
  • Trojan.44094 - CAT-QuickHeal

As one might expect, we also see generic trojan types like Script.Trojan.44094 being propagated with these emails.  We have been seeing Script.Trojan variants in these emails since late 2021, but it is worth noting here that some of these variants will also be identified similarly to Cryxos or HTML.Phishing variants depending on the provider.  HEUR:Hoax.HTML.Phish.gen detections we have been seeing since the latter half of 2020, with heavy detection rates in early 2021.  This detection is typically associated with phishing attacks, whereby an attacker attempts to obtain username and password information via fraudulent HTML.  The remaining detections listed are similar in nature to the HTML.Phishing class of trojans listed above. 

Closing

These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails.  It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.  With approximately 90% of products being shipped in the maritime related supply chain, this is a serious matter. 

Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line.   These threats often carry a financial liability to one or all those involved in the Transportation Supply Chain.  Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  

The more convincing an email appears, the greater the chance employees will fall for a scam.   To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is important to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to identify a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.

About Red Sky Alliance 

10944148692?profile=RESIZE_400x

 

 

 

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending cyber-attacks.  Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.  All emails connected to the Transportation Supply Chain, to include Vessels, should be viewed with scrutiny.

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization.  We have been tracking vessel imprtation for over 5 years.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

You need to be a member of Red Sky Alliance to add comments!