Nettitude Blog

Is Email Putting Marine and Offshore Organisations at Risk?

Posted by Nettitude on Sep 20, 2019 3:30:26 PM

By Joel Snape, Senior Threat Researcher at Nettitude

Sometimes it feels like everything runs on email. We all know we get far too many each day, and crucial information is constantly being sent back and forth between individuals and companies. It has become so common that often we don’t stop to question whether it is the most effective way of carrying out a task, and whether it is exposing us to harm. One area in which email seemingly cannot be escaped is in communication with port authorities; this could be anything from arrival notifications to requests for bunkering, ballast discharge or diving. Although online reporting systems such as the CERS portal do exist, in many cases vessels still have to fill in a Word form or Excel spreadsheet and email it to the relevant authority. They may also then have to respond to follow up questions, or get more paperwork to fill out.

In the world of physical safety, it is well known that safe working practises must become a habit - PPE must always be worn for example. When that habit is not enforced, people fall back to what is easiest or quickest without fully assessing the risk that their actions might pose. The same is true in people’s use of computers too. While security awareness training is important and can help users to understand the ways in which criminals operate, for those who are receiving emails on a daily basis and opening attachments the situation is a little different. When we carry out repetitive actions, we become habituated to the situation and tend to respond in the same way each time. Our threshold for noticing things that might look a little bit ‘off’ becomes higher if it broadly fits our internal narrative of what we are expecting to receive.

Criminals know this, and Nettitude tracks the ways in which they have been attempting to leverage common scenarios where the maritime industry shares information by email. We have uncovered an ongoing campaign which has been emulating the common messages sent between ships, agents and ports to attempt to trick users into opening malicious documents. The group used many different forms of fake documents, although the most common was a notice of arrival of a vessel, with arrival forms attached. There was even one example where the spoofed email appeared to come from the IMO, pretending to be carrying out a survey on cyber security in the maritime industry!

Figure 1: An example arrival notice email (left), and sample document (right) - in this case it is pretending to be a cyber security questionnaire from the IMO. (NB. the association with Cosco is completely spoofed).

In this campaign, the documents were a type of office file (RTF) which opens with Microsoft Word, and attempts to exploit a vulnerability discovered in 2017. Once exploited, the malicious document downloads and installs a variant of the ‘Hawkeye reborn’ key logger, which is a type of malware that scrapes sensitive information and passwords from the infected machine (e.g. passwords saved in the browser, or email accounts configured in Outlook).

The malware sends these back to the attackers using emails to users at domains the attackers have created, designed to look like they belong to legitimate maritime-related companies:

Malicious domain

Likely impersonated company

tellaurus[.]net

Telaurus Communications (now Globecomm Maritime)

nedai[.]net

Neda Maritime Agency (Greece)

championtankers[.]com

Champion Tankers (Norway)

cofcoainternational[.]com

Cosco International (Hong Kong)

marmedsaa[.]com

Marmedsa shipping agency (part of Noatum) (Spain)

meadwaysshipping[.]com

Meadway Shipping (Greece)

oceantrendcarrier[.]com

Ocean Trend Carriers (Gibraltar)

omicronships[.]com

Omicron Ship Management (Greece)

penavicohhn[.]com

Hainan Fanyu Foreign Wheel Agency Co., Ltd. (China)

penavicot[.]com

Penavico Shenzhen Logistics Ltd. (China)

premiummaritime[.]com

Premium Maritime S.A. (Greece)

roxanashiping[.]com

Roxana Shipping S.A. (Greece)

seaposvcs[.]com

Seaport Services Pvt Ltd. (India)

sunbeamlogistic[.]com

Sunbeam Logistics (India)

goshipg[.]com

Go Shipping (Greece)

gulfagancys[.]com

Gulf Agency Services (Djibouti)

bulkshiping[.]com

Bulk Shipping (Pakistan)

brise-chartering[.]com

Briese Chartering (Germany)

seacon-dz[.]com

La SARL SEACOM

age-line[.]cf

AGE-LINES Co. Ltd (Vietnam)

age-lines[.]cf

AGE-LINES Co. Ltd (Vietnam)

firstcoast[.]cf

FirstCoast Maritime Academy (USA)

gpl-sg[.]ml

Genshipping Pacific Line (Singapore)

nsuship[.]cf

NS United Shipping

chunweshipping[.]com

China Shipping

vpnet[.]cf

Vostochny Port (Russia)

tonglishippingpte[.]cf

Tongli Shipping (China)

Table 1A: Subset of malicious domains registered by attackers, aiming to impersonate legitimate companies.

This is likely to be an attempt to evade detection by any kind of network monitoring. Once the attacker has obtained passwords from victim organisations, they can be used to access company networks, emails accounts etc. and depending on their motivations could be used to mount further attacks, deploy ransomware or get access to sensitive information. For a full, in-depth description of how the malware operates, see our post on Nettitude Labs and take a look at our full research report on this attack.

Figure 2: Hawkeye for sale on a well-known hacking forum

This is a relatively unsophisticated threat using commodity ‘off-the-shelf’ malware, but is an indication of the awareness that cyber threat-actors have of the maritime industry. Given that these sorts of attacks are ongoing, it is important to take steps to protect yourself against them:

  • Move away from sending documents via email to providing information online where possible.
  • Implement strong email defence - consider installing a mail filtering system and blocking emails containing features your business doesn’t need (for example macro-enabled Office documents)
  • Make sure security updates are promptly applied to systems that deal with data or messages from untrusted sources (e.g. emails, files etc.)
  • Monitor networks to detect anomalous or malicious traffic, and systems to detect unusual access or data access.
  • Provide security awareness training for staff who send and receive emails.

Nettitude, part of the Lloyd’s Register Group, provides a range of services to the maritime industry, from understanding the risks that are present in your environment, to proactive testing to find weak spots and security monitoring to detect and respond to attacks. Visit our website or contact us to learn more about how to protect your business from cyberthreats.

 

Topics: Cyber Security, Nettitude, News, Security Blog, Security Testing, Cyber Security Blog, Download Area, Research & Innovation

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts