Today's cybersecurity headlines are brought to you by ThreatPerspective

Hacker Exploits Freight Industry to Steal Millions: A Threat to Global Supply Chains

Hackers are exploiting vulnerabilities in the global supply chain to steal valuable cargo shipments by using Remote Monitoring and Management (RMM) tools. According to an email security firm, Proofpoint, nearly two dozen campaigns have been recorded since August 2023, each sending up to a thousand messages. The attackers target freight brokers and trucking carriers with malicious links and emails that deploy RMMs like NetSupport, ScreenConnect, and LogMeIn Resolve. This attack is part of a larger threat to global supply chains, highlighting the need for companies to take precautions to protect themselves from becoming the next victim of a cargo theft attack.



Hackers are taking advantage of a vulnerability in the global supply chain by using Remote Monitoring and Management (RMM) tools to breach freighter companies and steal valuable cargo shipments. According to an email security firm, Proofpoint, hackers have been targeting freight brokers and trucking carriers with malicious links and emails that deploy RMMs like NetSupport, ScreenConnect, and LogMeIn Resolve. These tools allow the attackers to gain remote access to the compromised systems, manipulate bookings, block notifications, and even add new devices to the dispatcher's phone extension.

The attacks, which started in January 2022, are becoming increasingly sophisticated, with nearly two dozen campaigns recorded since August 2023, each sending up to a thousand messages. The targets are primarily North American entities, but Proofpoint has also observed similar activity in Brazil, Mexico, India, Germany, Chile, and South Africa.

The hackers use compromised accounts for load boards to post fraudulent freight listings, or breach broker and dispatcher email accounts, and then hijack email threads to lead victims to a malicious URL. Once the RMM tool is installed, the attackers can control the compromised machine and modify bookings, block dispatcher notifications, add their own devices to the dispatcher's phone extension, and book loads under the compromised carrier's identity.

These attacks are becoming more popular, with hackers exploiting gaps in the digital segment of the supply chain that helps companies move goods more efficiently. The cargo theft involves stealing commercial shipments by hijacking trucks or trailers in transit, by re-routing them, or by impersonating legitimate carriers. The stolen cargo, which includes commodities such as food, beverages, and electronics, is physically intercepted or rerouted and later sold online or shipped overseas.

The National Insurance Crime Bureau (NICB) estimates that cargo theft losses in the U.S. are $35 billion annually. Cybercriminals focus on exploiting this gap in the supply chain to steal valuable goods. The attackers' primary goal is to install RMM tools like ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve on the target companies' systems, which give them full remote control, reconnaissance, and credential harvesting capabilities.

To achieve this goal, hackers use social engineering tactics, such as tailoring messages for urgent load negotiations and exploiting trust in load packets, showing knowledge of how the freight industry operates. They also use convincing carrier branding to make the external pages appear legitimate, leading victims to download executables or installer MSI files that install an RMM tool.

By means of these tools, which are often used in tandem with other malware, attackers can conduct system and network reconnaissance and deploy credential harvesting tools such as WebBrowserPassView. The attackers also observe that the hackers "are working with organized crime groups to compromise entities in the surface transportation industry" and hijack cargo freight.

One carrier company targeted in such attacks explains that the hackers tricked their dispatcher into installing an RMM tool and took control of their account. The attacker deleted every booking email and blocked notifications and added their device to the dispatcher's phone extension, allowing them to impersonate the victim company and talk directly to brokers.

The attackers use this tactic to steal valuable cargo shipments, including food, beverages, and electronics, which are then physically intercepted or rerouted and later sold online or shipped overseas. While Proofpoint has observed RMM tools being used in these attacks, they also notes that information stealers such as NetSupport, DanaBot, Lumma Stealer, and StealC were deployed in related activities, although attribution to specific clusters was not possible.

To mitigate this threat, security experts recommend restricting the installation of unapproved RMM tools, monitoring network activity, and blocking .EXE and .MSI file attachments at the email gateway level. By taking these precautions, companies can protect themselves from becoming the next victim of a cargo theft attack orchestrated by hackers using RMM tools.



Related Information: