Cyberwarzone

Cybercriminals Exploit Legitimate Remote Tools to Target Logistics Networks

by

Peter Chofield
in
Summarize with:



Cybercriminals Exploit Legitimate Remote Tools to Target Logistics Networks

Cybercriminals are increasingly targeting the logistics and freight industry by exploiting legitimate Remote Monitoring and Management (RMM) tools to gain unauthorized access, with the ultimate goal of stealing cargo.

This trend, observed since at least June 2025, involves threat actors collaborating with organized crime groups to infiltrate transportation entities. They particularly focus on high-value commodities like food and beverages. The stolen goods are subsequently resold or shipped internationally. This situation is reminiscent of previous campaigns where remote monitoring tools were weaponized.

The current intrusion wave, detailed in research by Proofpoint, employs multiple tactics. Attackers leverage compromised email accounts to hijack ongoing conversations and utilize spear-phishing campaigns targeting asset-based carriers, freight brokerages, and supply chain providers.

Additionally, fraudulent freight listings are posted on load boards using compromised accounts. Malicious links are sent to inquiring carriers, leading to the deployment of legitimate RMM tools such as ScreenConnect, SimpleHelp, and PDQ Connect, often in combination.

Once remote access is established, threat actors conduct reconnaissance, deploy credential harvesting tools like WebBrowserPassView, and deepen their network penetration. In some observed cases, attackers have manipulated existing bookings, blocked dispatcher notifications, and rerouted shipments under the guise of the compromised carrier. These campaigns, detected since August 2025, appear indiscriminate, affecting businesses of all sizes.

The utilization of RMM software offers attackers significant advantages. It negates the need for custom malware development and helps evade detection, as these tools are commonly used legitimately within enterprise environments.

Signed, legitimate RMM installers, when distributed maliciously, are less likely to trigger security alerts and may appear less suspicious to end-users compared to other remote access trojans.

These recent activities echo a September 2024 campaign that also targeted transportation and logistics firms with information stealers and remote access trojans. While the primary research source from Proofpoint was inaccessible, the consistent pattern of exploiting RMM tools highlights a growing and sophisticated threat to the security and integrity of global supply chains.