Air Freight News

Inland rivers, ports and terminals:  Phising Emails

Aug 04, 2023

The maritime transportation sector has seen a very sudden rise in the number of phishing emails making it through security filters. Part of the problem is that many of the phishing emails are coming from known addresses that have been compromised through credential harvesting techniques. Please ask your staff to be continually cautious when receiving unexpected emails with links or attachments as these often allow further compromise. A quick phone call to the sender to verify can save a lot of time and money if the sender’s email was compromised. While the USCG does not regulate business, you are still encouraged to report suspicious emails to us through the NRC or Sector Command Center. This allows the Department of Homeland Security to track events and shut down operations before problems escalate into financial losses.

Please share this with your IT/Cyber Security teams so that they can be on the lookout for indicators of compromise.

As an update to the alert in late May about an APT group known as Volt Typhoon: This group is known to be associated with the People’s Republic of China. There is increased activity that indicates networks across all critical infrastructure could be potentially affected. This includes all industries associated with maritime transportation and energy/oil production.

Website Updates

The Coast Guard updated its maritime cybersecurity website. The updates reflect a better partnership with CISA and MARAD. It includes contact information for all the people in my role as a an MTSS-C in case your company has facilities outside of Sector Upper Mississippi River. The updates include both facility and vessel resources. It also has links to the known indicators of compromise that your IT/Cybersecurity teams can use to find potential compromises on your networks. The website’s landing page is fairly large, but I think taking a few minutes to scroll through it might benefit your facilities.

___________________________________

Summary

First reported in March 2023 and starting again in early June 2023, maritime transportation system (MTS) stakeholders reported an increase in unblocked, bid-themed phishing emails received from compromised senders. The threat actor(s) behind these phishing campaigns are leveraging the same cloud-hosted collaboration service, Box[.]com, to host the embedded link and malicious content.

In a sandbox environment, execution of the embedded link opens to a Box webpage containing another embedded link which then directs the prospective victim to a Captcha and login landing page. The bid-themed emails have been received by users in MTS engineering, security, procurement, and other departments. In one case, MTS stakeholders received emails from different compromised senders, but the credential harvesting login page used to exfiltrate victim credentials was the same (see bolded item below).

If you are seeing threat activity related to this advisory, please contact the MTS-ISAC. Identified Threat Activity Information Phishing Domains

  • wld0pl[.]ilkinmet[.]com
  • newprojectbidding[.]s3.us-east-005[.]backblazeb2.com,
  • adobemail-secondary[.]z13[.]web[.]core[.]windows[.]net

Recommended Actions

The following are some of the best practices to counter malicious email attacks:

  • Provide regular phishing awareness training to all employees; help them understand how to identify and report suspicious emails to the security team (including how to handle links & attachments). This is critical, as email security tools are often bypassed.
  • Consider implementing additional email security technologies/tools to detect and filter spam, phishing attacks, and potentially malicious attachments or links. Periodically review blocked emails as these can provide useful information related to attempted attacks.
  • As a best practice, do not respond to the sender of a suspicious email using email – even if the user is known. A compromised email account may be monitored by an adversary who may redirect the email and respond on behalf of the user. Use an alternate contact method, such as calling the sender.

Please share suspicious activity with the MTS-ISAC for further analysis, trending, and reporting to the maritime community.

Conclusion

Please continue to use heightened awareness and contact the MTS-ISAC if there are questions or if your organization has similar activity to report: [email protected].

Similar Stories

https://www.ajot.com/images/uploads/article/Drone_camera.jpg
Port industry advocates for more drone restriction authority in FAA rulemaking
View Article
https://www.ajot.com/images/uploads/article/Port%2C_State_Officials.jpg
Port of Long Beach, state officials laud progress on $383 million investment
View Article
https://www.ajot.com/images/uploads/article/PortofLongBeach-Photo1.jpg
IANA names Port of Long Beach recipient of inaugural Intermodal Innovation Award
View Article
https://www.ajot.com/images/uploads/article/A_Zucarmex_electric_zero_emissions_semi_truck._Courtesy_of_Zucarmex___California_Sugar_Equipment_..jpg
Port of San Diego approves new bulk sugar import facility
View Article
https://www.ajot.com/images/uploads/article/Hengli_Shipyard_China.jpeg
China’s Hengli Shipyard meteoric rise includes world’s longest drydock
View Article
https://www.ajot.com/images/uploads/article/Long_Beach_aerial_4.jpg
Port of Long Beach earns ‘Best West Coast Seaport’ honor
View Article