Cybercriminals sell access to international shipping, logistics giants

The underground is offering initial access brokers with entry to companies key in global supply chains.

Cybercriminals are offering initial access for networks belonging to key players in global supply chains, researchers warn.

On Tuesday, Intel 471 published an analysis of current black market trends online, revealing instances of initial access brokers (IABs) offering access to international shipping and logistics companies across the ground, air, and sea. 

Global supply chains have faced serious upheaval since the start of the COVID-19 pandemic. The problems go beyond chip shortages -- lockdowns and closures have caused backlogs worldwide, and as we slowly emerge from the pandemic, demand for everything from food to electronics remains high. 

This may be why organizations that provide the backbone of cargo transport and good deliveries have captured the interest of cybercriminals including ransomware operators. 

Access is normally obtained through vulnerabilities in Remote Desktop Protocol (RDP), virtual private networks (VPN), Citrix, SonicWall, misconfigurations, and brute-force attacks, as well as credential theft. 

While already in a volatile and precarious position -- especially as we head into winter -- "a cybersecurity crisis at one of these logistics and shipping companies could have a calamitous impact on the global consumer economy," according to the researchers.

With this in mind, Intel 471 examined Dark Web listings over the past few months to see how prevalent IAB listings relating to the global supply chain are.

There are several cases of note from both well-known IABs and newcomers. In July, two traders claimed to have secured access to a Japanese shipping firm's networks, alongside working, stolen account credentials. This offer was included in a wider dump of roughly 50 organizations. 

In August, a trader and associate of the Conti ransomware group said they had infiltrated networks belonging to a US transport and trucking software supplier, as well as a commodity transport giant. 

According to the cybersecurity firm, this actor had previously given Conti access to a botnet including a virtual network computing (VNC) function, allowing them "to download and execute a Cobalt Strike beacon on infected machines, so group members in charge of breaching computer networks received access directly via a Cobalt Strike beacon session."

A posting published in September by an IAB linked to the FiveHands ransomware group offered access to "hundreds" of companies, including a logistics company in the United Kingdom, whereas in other postings on cybercriminal forums, access to a shipping firm in Bangladesh -- secured through a PulseSecure VPN security flaw -- local admin rights in a US freight organization, and a pack of credentials including account access for a logistics company in Malaysia were also on offer. 

"The logistics industry is constantly targeted, and the ramifications of a cyberattack can have a crippling ripple effect on the global economy [..] It's extremely beneficial that security teams in the shipping industry monitor and track adversaries, their tools and malicious behavior to stop attacks from these criminals," the researchers say. "Proactively addressing vulnerabilities in times of high alert avoids further stress on already constrained business operations."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0