Cybercriminals Exploit Remote Monitoring Tools to Infiltrate Logistics and Freight Networks
In recent months, cybercriminals have intensified their focus on the trucking and logistics sector, deploying remote monitoring and management (RMM) software to facilitate financial theft and cargo hijacking. Since at least June 2025, these threat actors have been collaborating with organized crime groups to infiltrate surface transportation companies, aiming to steal physical goods, particularly food and beverage products.
According to researchers Ole Villadsen and Selena Larson from Proofpoint, the stolen cargo is often sold online or shipped overseas. The attackers infiltrate companies and use their unauthorized access to bid on legitimate shipments, ultimately diverting them for theft.
This wave of cyber-enabled heists shares similarities with attacks disclosed in September 2024, where transportation and logistics companies in North America were targeted with information stealers and remote access trojans (RATs) like Lumma Stealer, StealC, and NetSupport RAT. However, there is no evidence to suggest that the same threat actors are behind both sets of attacks.
Attack Methods:
The current intrusion campaigns employ multiple tactics:
1. Compromised Email Accounts: Attackers hijack existing email conversations to target asset-based carriers, freight brokerage firms, and integrated supply chain providers with spear-phishing emails.
2. Fraudulent Freight Listings: Using hacked accounts, cybercriminals post fake freight listings on load boards. When carriers inquire about these loads, they receive emails containing malicious URLs. This tactic exploits the trust and urgency inherent in freight negotiations.
Deployment of RMM Tools:
The malicious URLs embedded in these emails lead to the download of booby-trapped MSI installers or executables that deploy legitimate RMM tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. In some instances, multiple RMM programs are used together; for example, PDQ Connect may be used to install ScreenConnect and SimpleHelp.
Post-Compromise Activities:
Once remote access is established, attackers conduct system and network reconnaissance, followed by deploying credential harvesting tools like WebBrowserPassView to capture additional credentials and deepen their infiltration into the corporate network.
In at least one case, the threat actor utilized their access to delete existing bookings, block dispatcher notifications, add their own device to the dispatcher’s phone extension, book loads under the compromised carrier’s name, and coordinate the transport.
Scope of Attacks:
Since August 2025, approximately two dozen campaigns targeting transportation entities to deliver RMMs have been detected. These efforts are assessed to be both indiscriminate and opportunistic, targeting small, family-owned businesses to large transport firms. The attackers leverage insider information from other breaches to identify and bid on loads that are likely to be profitable if stolen.
Advantages of Using RMM Software:
The use of RMM software offers several advantages to cybercriminals:
1. Avoidance of Custom Malware: RMM tools eliminate the need for threat actors to develop bespoke malware.
2. Evasion of Detection: Due to the prevalence of RMM tools in enterprise environments, they are typically not flagged as malicious by security solutions, allowing attackers to operate under the radar.
Recommendations for Mitigation:
To mitigate the risk of such attacks, organizations in the logistics and freight industry should consider the following measures:
1. Regular Software Updates: Ensure that all systems and software are up-to-date with the latest security patches to close known vulnerabilities.
2. Employee Training: Conduct regular training sessions to educate employees about phishing tactics and the importance of verifying the authenticity of emails and links.
3. Multi-Factor Authentication (MFA): Implement MFA across all systems to add an extra layer of security, making it more difficult for attackers to gain unauthorized access.
4. Network Segmentation: Divide the network into segments to limit the spread of malware and restrict unauthorized access to sensitive areas.
5. Monitor Load Boards: Regularly monitor load boards for fraudulent listings and report any suspicious activity to the platform administrators.
6. Incident Response Plan: Develop and regularly update an incident response plan to ensure a swift and effective response to security breaches.
Conclusion:
The increasing sophistication of cybercriminals targeting the logistics and freight industry underscores the need for heightened vigilance and robust cybersecurity measures. By understanding the tactics employed by these threat actors and implementing comprehensive security protocols, organizations can better protect themselves against such cyber-enabled heists.
