RMM Tools Fuel Cyber-Enabled Cargo Theft in Logistics Sector

Cybercriminals are actively targeting the trucking and logistics industry to steal real-world cargo by leveraging RMM tools as initial payloads. The actors compromise freight systems, pose as legitimate carriers or brokers, and steal high-value goods. This convergence of cyber intrusion & physical theft presents significant risks to global supply chains and transportation infrastructure.

Severity: High

The Threat and Impact

• Target: The campaign targets companies in the trucking and logistics industry.
• Goal: The ultimate goal is financial gain through cargo freight hijacking (cyber-enabled cargo theft). The threat actors are assessed to be working with organized crime groups to compromise entities, bid on shipments, and then steal & sell the goods, often online or overseas.
• Losses: Cargo theft is a multi-million-dollar criminal enterprise, with global losses estimated at $34 billion annually. The most frequently targeted commodities are food and beverage products.

The Attack Chain

1. Initial Access: The threat actors deliver legitimate Remote Monitoring and Management (RMM) or Remote Access Software (RAS) tools such as ScreenConnect, SimpleHelp, PDQ Connect, and LogMeIn Resolve – to gain persistent, full control of a victim’s machine. These legitimate tools are used because they are often less likely to be flagged as malicious by security systems.
2. Delivery Tactics:
   The RMM tools are typically delivered through three main social engineering tactics:
   • Compromising Load Boards: Posting fraudulent freight listings using compromised accounts and then sending carriers malicious URLs when they inquire about the loads.
   • Email Thread Hijacking: Injecting malicious content or URLs into existing business conversations using compromised email accounts.
   • Direct Email Campaigns: Launching spear-phishing emails directly at larger asset-based carriers, freight brokerage firms, and integrated supply chain providers.
3. Post-Infection Activity: Once access is established, the attacker conducts system and network reconnaissance, & deploys credential harvesting tools (like WebBrowserPassView, Lumma Stealer, StealC, etc) to steal additional credentials and burrow deeper into the network.
4. Cargo Hijacking: The attackers use their fraudulent access to bid on real shipments, delete existing bookings, block dispatcher notifications, and coordinate the transport of the cargo under the compromised carrier’s name, effectively hijacking the physical goods.

Recommendations

1. Strictly prohibit the download and installation of any RMM tools that is not explicitly approved and confirmed by the organization’s IT administrators.
2. Implement allowlists for authorized applications. Any unsigned or unrecognized .exe or .msi files downloaded from external domains should be automatically quarantined.
3. Block delivery of .exe and .msi files received via email from unverified senders.
4. Enforce MFA across all load boards, dispatch systems, and remote access interfaces to prevent credential abuse.
5. Alert on emails that appear in existing threads but contain unusual links or attachments.
6. Establish verification protocols to validate load postings, including callback procedures or secondary contact checks before booking freight.
7. Train employees to identify and report suspicious activity to their security teams. This training should focus on the social engineering tactics used by the threat actors, such as fraudulent load postings and malicious links inserted into email threads.
8. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/1db5415e8bbd0abe2672241809f70cfd2cecd14b6aa76edfde3205d2acff3e39/iocs

Source:

• https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.