As if disruption to the global supply chain post-pandemic isn’t bad enough, cybercriminals are selling access, sometimes in the form of credentials, to shipping and logistics companies in underground markets.
That’s a worrisome, if not unexpected, development; a cybersecurity incident at a company that operates air, ground and maritime cargo transport on multiple continents and moves billions of dollars worth of goods could prove devastating to the global economy.
“At the moment, the global supply chain is extremely fragile. This makes the industry a top target from cybercriminals who will look to take advantage of today’s current situation,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify. “The global chip shortage is resulting in major delays, with some stock unavailable or backlogged for more than six months, making it a prime attraction for cybercriminals to attempt to expose and monetize this via various scams. This includes redirecting shipments by changing logistic details or causing disruptions via ransomware.”
The actors, ranging from newcomers to prolific network access brokers, are selling credentials they obtained by leveraging known vulnerabilities in remote desktop protocol (RDP), VPN, Citrix and SonicWall and other remote access solutions, according to the Intel 471 researchers tracking them.
“No business or IT security team would willingly allow bad actors to exploit known vulnerabilities in remote access technologies, but this is exactly what is happening,” said Yaniv Bar-Dayan, CEO and co-founder of Vulcan Cyber, who believes much of the problem is a result of poor cybersecurity hygiene.
In one instance last August, an actor that has worked with groups deploying Conti ransomware said they had accessed “corporate networks belonging to a U.S.-based transportation management and trucking software supplier and a U.S.-based commodity transportation services company,” the researchers wrote in a blog post. “The actor gave the group access to an undisclosed botnet powered by malware that included a virtual network computing (VNC) function.” The group then used the botnet “to download and execute a Cobalt Strike beacon on infected machines, so group members in charge of breaching computer networks received access directly via a Cobalt Strike beacon session,” they said.
In another incident in the fall, a FiveHands-affiliated threat actor claimed to have accessed hundreds of companies, one of which was a logistics company based in the U.K. Intel 471 researchers believed the access may have come through a SonicWall vulnerability that FiveHands previously used for its ransomware attacks. “Additionally in September, a new actor claimed to have gained access to a Bangladesh-based shipping and logistics company through a vulnerability in the PulseSecure VPN,” the researchers said.
“Just like the legitimate supply chain, today’s cybercriminals also work in a supply chain structure with many specializing in different areas such as selling access or credentials to other criminals who will use and abuse those credentials stealing manifest details, financial fraud such as poisoning invoices or ransomware disrupting services,” noted Carson.
“In the past two years, we’ve noticed a growing intertwining of initial access broker (IAB) activity and ransomware gangs’ operations,” said Stefano De Blasi, cyber threat intelligence analyst at Digital Shadows. ”The reason is simple: IABs provide ransomware gangs a seemingly infinite supply of potential victims to scale their criminal business model and, consequently, increase their reputation and revenue. That’s why spikes in IABs targeting a specific sector or geography often correspond to subsequent growth in ransomware operations in the same area in the following months,” De Blasi said.
Intel 471 points to the 2017 NotPetya attack that crippled Maersk, among others, and a breach last summer at the Port of Houston that was ultimately thwarted by early detection as evidence of cybercriminals’ growing interest in targeting the logistics industry.
“At a time when this sector is struggling to keep things operating, a successful attack could bring this industry to a screeching halt, resulting in unforeseen dire consequences for every part of the consumer economy,” the researchers warned. “Proactively addressing vulnerabilities in times of high alert avoids further stress on already constrained business operations.”
A high-risk industry and employees under pressure is a dangerous combination. Workers “will do what it takes to get the job done,” Carson said. “Unfortunately, that means sacrificing security which is when cybercriminals will focus on taking advantage.” It takes a single employee with local administrator privileges “to click on a poisoned attachment for a cybercriminal to steal their credentials and log on to the corporate network,” he said. “Hackers no longer need to find vulnerabilities as much these days. They simply steal credentials and log on pretending to be a legitimate employee.”