Attackers flaunt remote-access credential, threaten supply chain

Network-access brokers, the cybercriminals who trade in credentials needed to compromise corporate computers, have advertised and sold credentials for a variety of global shipping and logistics companies in the past few months, threatening the already-overburdened supply chain infrastructure.

Threat-intelligence firm Intel 471 reports that targeted organizations include a Japanese container shipping firm, trucking and transportation companies in the United States, and a logistics firm in the United Kingdom. The attackers purportedly used vulnerabilities in, or insecure configurations of, remote access infrastructure such as Citrix, Cisco, Fortinet, and PulseSecure virtual private network technology, as well as Microsoft’s remote desktop protocol (RDP) software.

While the advertised credentials may not presage an attack, the fact that they are advertised in cybercriminal forums does not bode well for the companies, says Greg Otto, a security researcher with Intel 471.

“We have seen attacks go from compromise or sale of credentials on the underground to a ransomware attack,” he says. “Not every credential sale results in an attack, but it’s never a good sign if your company is suddenly included in a cybercrime underground advertisement.”

The global supply chain is suffering from shortages as consumer demand has skyrocketed following the coronavirus pandemic. In October, the port of Los Angeles — the gateway to manufacturers in the Asia-Pacific region — moved to 24-hour operations to try and reduce the backlog.

Ransomware has disrupted shipping operations in the past. In 2017, the NotPetya wiper worm infected critical domain controllers at shipping conglomerate A.P. Moller Maersk, which claimed the resulting disruptions caused more than $300 million in damages.

Intel 471 researchers point to a late-September incident in which credentials for access to a Malaysian shipping company’s computers were advertised on the underground. A week later, attackers encrypted the company’s data and demanded a ransom, Intel 471’s Otto wrote in a Nov. 2 blog post.

To read the complete article, visit Dark Reading.