Network access brokers, the cybercriminals who trade in credentials needed to compromise corporate computers, have advertised and sold credentials for a variety of global shipping and logistics companies in the past few months, threatening the already-overburdened supply chain infrastructure.
Threat intelligence firm Intel 471 reports that targeted organizations include a Japanese container shipping firm, trucking and transportation companies in the United States, and a logistics firm in the United Kingdom. The attackers purportedly used vulnerabilities in, or insecure configurations of, remote access infrastructure such as Citrix, Cisco, Fortinet, and PulseSecure virtual private network technology, as well as Microsoft's remote desktop protocol (RDP) software.
While the advertised credentials may not presage an attack, the fact that they are advertised in cybercriminal forums does not bode well for the companies, says Greg Otto, a security researcher with Intel 471.
"We have seen attacks go from compromise or sale of credentials on the underground to a ransomware attack," he says. "Not every credential sale results in an attack, but it's never a good sign if your company is suddenly included in a cybercrime underground advertisement."
The global supply chain is suffering from shortages as consumer demand has skyrocketed following the coronavirus pandemic. In October, the port of Los Angeles — the gateway to manufacturers in the Asia-Pacific region — moved to 24-hour operations to try and reduce the backlog.
Ransomware has disrupted shipping operations in the past. In 2017, the NotPetya wiper worm infected critical domain controllers at shipping conglomerate A.P. Moller Maersk, which claimed the resulting disruptions caused more than $300 million in damages.
Intel 471 researchers point to a late-September incident in which credentials for access to a Malaysian shipping company's computers were advertised on the underground. A week later, attackers encrypted the company's data and demanded a ransom, Intel 471's Otto wrote in a Nov. 2 blog post.
While these incidents indicate attackers see tempting targets in companies that form the backbone of the global supply chain, he says, adversaries don't specifically prefer to compromise shipping and logistics companies.
"There has not been any direct conversation that we have observed that point to RaaS [ransomware-as-a-service] crews going after shipping or logistics companies solely for the notion that it will cause further chaos in the global supply chain," he says. "RaaS crews go after any and all targets largely for financial gain."
The evidence of credential sales mainly focuses on access credentials advertised for sale by various members of an underground forum. In July, for example, a new member claimed to have credentials for 50 companies, stolen after compromising a variety of virtual private networking appliances and software. In October, a new member in another cybercrime forum boasted about access to a score of computers in a US-based freight-forwarding firm.
Another organization in the United Kingdom suffered an attack through its SonicWall installation, while a Bangladesh-based shipping and logistics company was compromised using a vulnerability in PulseSecure, Intel 471 claimed, based on the evidence in cybercrime forums.
Even though attackers do not appear to be narrowly focused on compromising supply chain companies, the credential theft suggests the increase in attacks on maritime and transportation networks will continue. Since 2019, the number of cyberattacks on shipping and logistics companies has tripled, with supply chain disruptions expected to cause delays for approximately one month every four years, according to a report on cybersecurity attacks on logistics firms by security firm BlueVoyant.
"Unfortunately, these widespread vulnerabilities are still unaddressed in a time of increased scrutiny and reliance on supply chains — as countries wait for efficient and safe vaccine distribution programs, and as entire work-from-home economies rely on global shipping more than ever," the BlueVoyant report states.
Both companies argue that businesses need to better protect their credentials, use additional factors of authentication, and monitor cybercrime forums to detect breaches as early as possible.
"[G]iven that attackers like to spend time conducting reconnaissance inside corporate networks, monitoring credentials can be the first signal that a ransomware attack could be close," Intel 471's Otto says. "Being proactive can go a long way to thwarting a ransomware attack, so seeing your company's credentials on the cybercrime underground should be a huge signal that something needs to be done in your network."