Shipping Firms’ Credentials for Sale on the Dark Web: November Threat Intelligence Report

By Callie Guenther, Critical Start Cyber Threat Intelligence Manager

It’s no secret that the shipping and logistics industries as well as many other global supply chain components such as sourcing, continuity and quality maintenance functions are under severe strain, with billions of dollars’ worth of goods sitting in containers at ports around the globe. Now they have another issue to grapple with: on the dark web, initial access brokers (IABs) are actively selling access to shipping and logistics company networks.

In this week’s Cyber Threat Intelligence Summary we address this continuing trend of supply chain attacks as well as a few other weekly highlights in brief. Download the summary here.

Since the summer, there’s been an uptick in activity targeting air, ground and maritime cargo transport and logistics companies. As the cyber threat research firm Intel471 reports:

  • July 2021: One new threat actor and one well-known access broker claim to have access to a network of a Japanese container transportation and shipping company.
  • August 2021: An affiliate of the Conti ransomware gang claim access to corporate networks belonging to a U.S.-based transportation management and trucking software supplier and a U.S.-based commodity transportation services company.
  • September 2021: An actor linked to the FiveHands ransomware group claims access to hundreds of companies, including a U.K.-based logistics company.
  • October 2021: A threat actor claims access to the network of a U.S.-based freight forwarding company.

A cyber incident at any company that’s part of the global supply chain could have a ripple effect that further disrupts an already vulnerable supply chain at the worst time of year. Should a threat actor successfully compromise systems at, say, a shipping company, it could render the company unable to move cargo because they are so heavily dependent on IT systems for shipping instructions.

While it’s always been important for supply chain security teams to monitor and track threat actors, including the tools they use and new malicious exploits, it’s even more so now with the additional threat coming from IABs and the underground market.

Exploiting known vulnerabilities

That potential for damage is quite real. Threat actors are stealing credentials of shipping and logistics companies’ employees by exploiting some well-known vulnerabilities in remote access solutions like Remote Desktop Protocol (RDP), VPN, Citrix, and SonicWall, among others.

They sell these credentials to IABs on the dark web, who, in turn, offer the credentials to other threat actors, ransomware-as-a-service (RaaS) operators or other cybercriminals who actually conduct the intrusions.

Once inside a target company network, the intruder may install malware that encrypts data and applications and/or steal valuable shipping data, then demand ransom from the company to get it back.

While that’s a familiar tack for purveyors of ransomware to take, what’s new is the concerted effort to target shipping and logistics firms. Such firms are already high-value targets (HVTs) and have some of the highest reported ransomware losses, including around $56 billion in 2020.

What’s more, as companies in the supply chain industry seek greater efficiency, they are continually increasing use of digital technologies and forging online connections among one another. This creates an expansive digital footprint among the organizations and the logistics systems that support them, increasing the risk of cyber-attack.

A range of threats
A few of the examples of threats detected by Intel471 thus far include:
A botnet powered by malware that included a virtual network computing (VNC) function was used to download and execute a Cobalt Strike beacon. The beacon was then used to give threat actors access to infected machines belonging to two U.S.-based transportation services companies.
A previously unknown actor claimed to gain access to a Bangladesh-based shipping and logistics company via a vulnerability in the PulseSecure VPN.
Another new threat actor claimed he had local administrator rights and could access 20 computers on the network of a U.S.-based freight forwarding company. He claimed to have exploited a path traversal vulnerability in Fortinet’s FortiGate security sockets layer (SSL) VPN (CVE-2018-13379).
A newcomer on a well-known cybercrime network was selling a package of credentials, including some to a Malaysian logistics company, for $5,000.

2017 attack demonstrates potential for damage

Past cyber-attacks targeting supply chain companies demonstrate the damage that can be done.

In 2017, the largest terminal in the Port of Los Angeles was shut down after the Danish shipping company A.P. Moller-Maersk, which owns the terminal, was hit with the Petya malware, part of a global ransomware attack. The terminal was closed for three days because Maersk could not receive electronic bookings or communicate with customers.

Two years after the attack, Maersk’s chief technology and information officer recounted the extent of the damage. He noted 49,000 laptops and about 3,500 servers were destroyed and all 1,200 of its applications were inaccessible. All told, the attack cost Maersk between $250 million and $300 million.

Vigilance, MDR required

Defending against such catastrophic attacks requires vigilance. Make sure you’re following cyber-security best practices and that your security procedures are shored up. Implement endpoint monitoring and a security information and event management (SIEM) platform to monitor alerts. Require multi-factor authentication for all users. 

Introducing new technologies without vigorous cyber-security in place presents a huge risk to individual organizations and to the supply chain as a whole. Many organizations are now asking what a third party or vendor is doing to demonstrate effective cybersecurity and resilience and requiring security examinations or audits as a part of their terms and conditions.

Furthermore, governments are becoming more assertive in their expectations of appropriate cyber-hygiene across businesses and national/international infrastructures and the supply chain is no exception. Cyber threats cannot be eliminated but they can be managed through stronger collaboration between governments and key industry stakeholders, and by adopting a strong information security framework.

Partnering with a managed detection and response (MDR) service provider and proactively addressing vulnerabilities avoids further stress on already constrained business operations. Similarly, a dark web monitoring service will help you detect whether any of your credentials are for sale and any beaconing that could leave you susceptible to attack.

If you have questions about these attacks or others, please read the full intelligence summary and feel free to reach out to us. Otherwise, stay safe out there.

You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Join us at RSA Conference - booth #449 South!
This is default text for notification bar