Cybercriminals are targeting organizations along the supply chain sector with cyberattacks and claiming in underground forums that they have access to networks for companies that operate air, ground and maritime cargo transport.
The global supply chain is facing widespread challenges, with the COVID-19 pandemic leading to fluctuations in the availability of goods. At the same time, ports are backlogged and there is a shortage of workers available to transport cargo. The added threat of potential cyberattacks creates a “precarious situation” for this sector, particularly as the holiday approaches, said researchers with Intel 471.
“With things as volatile as they are, a cybersecurity crisis at one of these logistics and shipping companies could have a calamitous impact on the global consumer economy,” according to Intel 471 researchers in a Tuesday post. “These companies operate air, ground and maritime cargo transport on several continents that are responsible for moving billions of dollars worth of goods around the world.”
Researchers with Intel 471 detected various network access brokers selling credentials that they claimed belonged to logistics companies over the past few months. The cybercriminals claimed that they obtained these credentials by leveraging vulnerabilities in remote access solutions, including Remote Desktop Protocol (RDP), Citrix and SonicWall, they said. In August, for instance, researchers observed one actor claiming to have access to corporate networks that belonged to a U.S.-based transportation management and software supplier, and a U.S.-based commodity transportations services company. The threat actor, which is known to work with groups that deploy the Conti ransomware, gave a Conti affiliate group access to an undisclosed botnet with a virtual network computing (VNC) function, said researchers.
“The group used the botnet to download and execute a Cobalt Strike beacon on infected machines, so group members in charge of breaching computer networks received access directly via a Cobalt Strike beacon session,” they said.
In another incident in October, researchers observed a newcomer to a well-known cybercrime forum claiming access to the network of a U.S.-based freight forwarding company. The attacker claimed to have local administrator rights and access to 20 computers on the company’s network, and also claimed that he obtained the credentials through a path traversal vulnerability (CVE-2018-13379) in Fortinet’s FortiGate secure sockets layer (SSL) VPN web portal.
“The vulnerabilities by which these actors gain access to corporate networks... have grabbed headlines for the past few years -- RDP, Citrix, Fortinet, et. al.,” said Greg Otto, Intel 471 threat researcher. “It really shows how widely these technologies are used, the damage that can be wrought if actors know where to look, and the pain that can be inflicted on businesses if they hope for ‘security by obscurity.’”
In August, attackers targeted the Port of Houston, one of the largest ports in the U.S. Gulf Coast. Early detection of the incident prevented any disruption of business - but researchers said that the potential impact of such an attack could be dire. The financial consequences of such an attack was seen when the global NotPetya ransomware attack in 2017 froze Danish shipping firm Maersk's worldwide logistics operations, costing the firm up to $300 million in damages.
“At a time when this sector is struggling to keep things operating, a successful attack could bring this industry to a screeching halt, resulting in unforeseen dire consequences for every part of the consumer economy,” said Intel 471 researchers.
Researchers with Intel 471 said that security teams in these logistics companies should constantly monitor and track adversaries, their tools and malicious behavior to stop attacks from these criminals. However, many companies in this sector lag behind in security protections. A report in April assessing 20 of the top global shipping companies found that 90 percent of the organizations studied had open remote desktop or administration ports and insufficient email security.
This lax security has led to a federal focus, with a hearing last week called “Transportation Security: Protecting Planes, Trains and Pipelines from Cyber Threats” highlighting a slew of attacks on transportation and logistics companies, including the Port of Houston. Speaking at the hearing, Bonnie Watson Coleman, who is the chairwoman for the Transportation and Maritime Security Subcommittee, said “transportation operators have no obligation to meet even baseline cybersecurity measures.”
“When it comes to transportation cybersecurity, inaction isn’t an option,” she said. "While many operators employ best practices, invest in cybersecurity talent, and coordinate with government voluntarily, some cut corners and put us all at risk. Without requirements, there is nothing to compel those companies to improve."