Cybercriminals are turning their attention to freight and trucking companies, with the help of organized crime groups.
They are exploring Remote Monitoring and Management (RMM) tools which allow them to hijack cargo and steal physical goods down the line, security firm, Proofpoint, has warned this week.
This worrying partnership could drastically increase the threat posed by malicious actors as, traditionally, the ambition of cybercriminals has been tempered by their lack of on the ground personnel. However, cybercriminals working alongside organized crime groups could be a mutually beneficial relationship.
In these attacks, the attacker installs an RMM tool (such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, or LogMeIn) on the target company’s system, giving them full remote control of that system.
This would allow them to carry out reconnaissance and credential harvesting attacks. It would also enable them to reroute shipments or impersonate legitimate carriers, resulting in goods being handed over willingly to the team of hackers and organized criminals, which they can then resell for profit.
How The Attack Works
Source: Proofpoint
Proofpoint has described the attack chain that they observed. First, the attacker compromises a broker load board account – this is a marketplace that is used for organizing freight bookings. The attackers post a fraudulent job as a lure, then share a malicious link when a carrier responds to the posting. This link prompts the victim to install a legitimate RMM tool that the attacker can then abuse to compromise the carrier’s accounts.
The Impact
Not only is there the financial impact of the theft to account for, but there is also the disruption. International supply chains are delicate networks; if shipments are stolen or reallocated, this could have a significant knock-on effect to manufacturing or retail operations.
We saw an example of this when the Panama Canal was blocked in 2021. Analysts reported that this accounted for $9.6bn of goods held up each day. While we are a long way off disruption of this scale, cargo theft is already significant; according to the National Insurance Crime Bureau, the figure sits at $35bn annually.
Proofpoint’s report focuses on North America, however, Munich RE warns that Brazil, Mexico, India, Germany, Chile, and South Africa are all theft hotspots, with spikes in Q1 and Q4 2024.
Next Steps
“Public discussion and reporting on cyber-enabled cargo theft suggests the problem is widespread, impacting organizations nationwide, and only increasing in scope and spread,” says Proofpoint.
“Based on the growth of this activity in email threat data between 2024 and 2025, Proofpoint assesses this threat will continue to increase. Organizations should be aware of the cyber-enabled tactics and payloads used by cargo theft criminals, and implement cybersecurity measures to prevent successful exploitation.”
In order to avoid falling victim to this type of attack, Proofpoint recommend that all organizations within the sector take steps to defend against RMM abuse. And RMM abuse isn’t something that’s going away soon – Cisco Talos’ 2024 Year in Review found that threat actors are leveraging an increasing variety of commercial and open-source products. Mitigations include employee training, preventing unknown tools from being installed, and having network detection procedures in place.
Gary Mounsor, Senior Cybersecurity Consultant, e2e-assure, has warned of the threat facing Operational Technology (OT), that is currently overlooked: “Once they’ve been compromised, these OT environments become the attacker’s playground because very few of these systems are actively monitored from a security point of view. Initiating change will, however, prove challenging due to the cultural mindset in OT.”
