- Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector.
- Here we continue to examine how email is used to deceive the recipient and potentially expose the target organizations.
- Red Sky Alliance, performs weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.
A recent news article published in the Dryad Global reveals about the
Email subject line
Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
Dryad with its cybersecurity partner provides a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.
Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Fooling with an infected email
Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot.
Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day.
They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments.
This is still the major attack vector for attackers looking to attack a network.
These analytical results illustrate how a recipient could be fooled into opening an infected email.
They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies.
Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities, and/or shore companies in the marine, agricultural, and other industries with additional malware.
An example of a malicious mail
First Seen – Apr 04, 2021
Subject Line Used – MV SHENG LE C//DISCH CARGO AT MOROWALI & KENDARI PORT, INDO
Malware Detections – MSIL/Agensla.AYU!tr
Sending Email – “Amir Hossain” chenpeace@skyfile.com
Targets – electroputere.ro
Spoofing companies in maritime supply chain
Here, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain.
This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MT Ocean Chemist” and “MV Autai” among others.
What did the analysts observe?
This week, analysts observed attackers attempting to send malware to targets working for the government of Córdoba, Argentina.
Córdoba was once the home of Lockheed Martin Aircraft Argentina S. A. and is now the location of Argentina’s main aircraft manufacturer Argentine Aircraft Factory “Brigadier San Martín” S.A.
Notably, the attackers target recipients at both the “cba[.]gov[.]ar” and “cba[.]gob[.]ar” domains. Both of these domains are owned by the government of Córdoba.
In the past two months alone, these domains have over 2,200 CTAC hits indicating malicious email activity.
CTAC visualization data shows that these attacks have significantly increased in a short time span beginning in November 2020.
Why attackers target the shipping sector?
It is unclear why the attackers are targeting the province with a subject line referencing shipping. While webmail filters ID the email as spam, the subject line used to target multiple recipients is “FW: TT NO 013220150027 SHIPPING DOCUMENT.” It is also noteworthy that while the emails were sent to multiple unique targets, they appear to have been sent at the same time.
The message body of the emails is exactly the same with one exception. The greeting uses the first part of the email address so if the target uses a “Joseph.Smith@cba[.]gov[.]ar” email address, the greeting in the malicious email would be “Dear Joseph.Smith,”.
This indicates the attackers are likely using an automated tool to generate these malicious emails. It would also indicate the attackers are not reviewing these emails for errors before sending them.
Doubtful email signature
The email signature is relatively professional in appearance, but the company listed in the signature does not have a public-facing website.
The sender is also sending from a hanmail[.]net email address which is a generic Korean webmail provider (similar to Gmail, or Hotmail).
Attackers often use these types of accounts because they are more disposable than legitimate business email addresses.
At this time, it appears attackers are targeting the government of Córdoba for unknown reasons using malicious email subject lines related to shipping.
Often times spikes such as this indicate attackers targeting the company for a specific end goal such as exfiltration stolen sensitive data or activating ransomware for a profit.
Red Sky Alliance will continue to monitor this activity.
Did you subscribe to our daily newsletter?
It’s Free! Click here to Subscribe!
Source: Dryad Global
