Transport, Logistics Orgs Hit by Stealthy Phishing Gambit

  /     /     /  
Publicated : 23/11/2024   Category : security


Transport, Logistics Orgs Hit by Stealthy Phishing Gambit


Companies in this industry vertical tend toward large financial transactions with partners, suppliers, and customers.



A small group of transportation and logistics companies in North America has been targeted in cunning business email compromise (BEC) attacks.
Since May, an unknown threat actor has weaponized at least 15 email accounts associated with its targeted companies. In a blog published on Sept. 24, Proofpoint researchers could not say
how the threat actor first obtained access
to these accounts. What is known is that the attacker is using the accounts to bury initial access malware inside of existing email chains, betting that recipients will have their guards down so deep into ongoing conversations with colleagues.
Thread hijacking is obviously very effective, says Daniel Blackford, director of threat research for Proofpoint. Once an account takeover has happened, this increased legitimacy makes it much harder for anyone but those who are the most vigilant to spot it.
From May to July, the threat actor primarily hid payloads inside of Google Drive files leading to Internet shortcut (URL) files. When executed, the attack chain uses server message block (SMB) to retrieve an executable file from a remote share, which installs one of a number of different, known malware tools. Among them: Lumma, the most common infostealer in the world today; StealC; and the legitimate tool NetSupport.
In August, the attacker shifted to using
the ClickFix technique
for tricking victims into downloading its malware. With ClickFix, a malicious webpage presents the victim with a fake pop-up error message. Through a series of dialogue boxes, the victim is instructed to copy and paste a supposed fix for the issue into a PowerShell terminal or Windows Run. In fact, the so-called fix is a script, which downloads and runs an executable. In these recent phishing attempts, the executables for download included DanaBot and Arechclient2 (aka SectopRAT).
Why ClickFix works at all — despite asking for much more active engagement and technical monkeying from the victim — can seem confounding.
The human psychology behind why really convoluted attack chains work continues to astonish me on a yearly basis, Blackford admits. He does, though, have a theory. Something that Ive heard is that it can be annoying to deal with IT, so if the solution is right in front of you, and you dont have to communicate with a help desk and have people remote into your to your system to fix them, then maybe its actually less trouble to just try to execute it yourself.
Various threat actors have disguised ClickFix behind fake Windows and Chrome updates. In this case, the attacker impersonated Samsara, AMB Logistics, and Astra TMS, platforms highly specialized for fleet and freight management, demonstrating the highly targeted nature of the campaign.
As Blackford notes,
transport and logistics companies
can make attractive targets for financially motivated cyberattacks. They do business with lots of entities — suppliers for a lot of industrial manufacturers, for example, he says. Theyre going to be corresponding with a lot of different companies. Theres going to be a lot of moving parts — a lot of things in and out, constantly moving — so a lot of opportunities to find connected, future victims from just one company.
With fertile ground to sneak in amongst the many moving players and deals, he notes, There are requests for quotes and invoices that are of a fairly large magnitude — that are, in terms of the finances involved, maybe an order of magnitude higher than in some other industries.
He adds that, while rare, There also is some evidence recently of threat actors trying to redirect legitimate shipments to locations that are under their control.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Transport, Logistics Orgs Hit by Stealthy Phishing Gambit