Dryad and RedSkyAlliance monitor attempted attacks within the maritime sector. The partners examine how email is used to deceive the recipient and potentially expose the target organisations.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency.
It is critical to implement training for all employees to help identify malicious emails/attachments. This is still the major attack vector for attackers looking to attack a network. These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies
Dryad Global notes.
Recently, the partners observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Soho Trader” among others. Red Sky Alliance has been monitoring a continuous campaign in which threat actors are impersonating the Mediterranean Shipping Company (MSC) while spreading Dridex malware through malicious email attachments. The attackers are re-using TTP’s to target numerous different targets around the globe in a variety of industries.
Beginning at the end of January, analysts began observing these malicious emails and since then have continued to see the same tactics used multiple times. While it appears, the attackers are spoofing MSC employees at this time, analysts are also monitoring for any malicious emails which appear to be sent by an MSC account which has been taken over
The most recent emails follow the exact same patterns analysts have observed since January. These attackers will impersonate MSC employees which do not exist, according to open-source data. They continue to use dozens of unique aliases but not one of the sending emails is seen in open source; indicating that the attackers are using alias names. However, they appear to be using the proper sending email format ([email protected][.]com) which shows they have done some measure of reconnaissance on the company.
Commonalities between these emails remain the same:
- All senders impersonate employees or departments at Mediterranean Shipping Company.
- The emails are disguised as invoices or payment notifications (many of them “overdue” to create a sense of urgency in the target).
- The subject lines have a date at the end (mm/dd/yyyy)
- All messages contain a malicious .xlsm file attachment.
- There are two message bodies used, one just says “redacted” and the other is a description of account charges.
- The attachment contains Dridex
The malicious email attachment titled “Statement_as_of_(DD_MMM_YYY).xlsm” is also an updated version of the file reported in last week’s maritime report (WR-21-032-006). Note the .xlsm file extension. This indicates that the spreadsheet will open in Excel with Macros enabled (used to activate the malware).
See also: Latest maritime cyber security and threats
See also: The latest maritime cyber security threats
