The supply chain provides the framework for the modern transfer of goods. Logistics play a pivotal role from the acquisition of raw materials to the delivery of a final product to the end user. Generally, the raw materials are transported to a supplier, who then transports the materials to a manufacturer. The manufacture creates a finished product that is then distributed to either a retailer or warehouse where the product is either sent to or carried out by the consumer. Pictured below is a diagram showing the basic flow of goods in the supply chain:
There are three distinct flows within the supply chain, they are: the flow of goods, the flow of information, and the flow of currency. Communication is essential to supporting these flows.
Cyber-attacks can, and have caused global disruptions including the SolarWinds, JBS, and Colonial Pipeline attacks. These supply chain cyber-attacks resulted in impacts felt by consumers around the world. The reality is that the supply chain creates an enormous attack surface area for malicious actors to target. Sophisticated attack techniques have been employed by attackers in the past, however, a reliance on social engineering and human error is still evident. Spoofed phishing emails with subject lines directing recipients to see the attached Bill of Lading, tracking number, shipment notice, invoice, or parcel arrival are common among distribution companies.
Using the Cyber Threat Analysis Center (CTAC) from Red Sky Alliance, we have discovered both breach data and malicious emails connected to a number of distributors and trucking companies within the supply chain. Pictured below is some geographic information about the hosts both sending and receiving these emails.
Table 1. Below: List of subject lines, type of malware detection, sender data and targets seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full Table is Linked here --> Trucking_Report_Table_05_12_2022.pdf
The subject lines present several commonalities. The search terms used to query the CTAC database were based on popular logistics companies including FedEx, UPS, and DHL. Attackers used these terms and common notification messages to deceive recipients into believing the message has a useful attachment. The attachments claimed to be shipping notices, invoices, tracking numbers, or notification of delivery. A number of these emails were sent multiple times to different recipients demonstrating small, targeted phishing campaigns.
One sample phishing attack from the collection is sent from “mariya-ostocos.shop” “email@example.com” with a subject line of “DHL Shipment Notification: 0915158433032022” On 12 April 2022, our data collections show this email was sent four times to hlcorp.com and hlcorp.com.cn. This email flagged a number of detections in Virus Total for a Common Vulnerability Exposure (CVE). The detection pointed to CVE-2017-11882, which is an older Microsoft Office Memory Corruption Vulnerability that allows attackers to run arbitrary code.
Some phishing campaigns reuse the same subject lines and send the malware to multiple targets. The lures they use apply generically to most supply chain transactions announcing notifications or updates that are universally expected.
These analytical results illustrate how a recipient could be fooled into opening an infected email. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the supply chain and thus possibly infect suppliers, manufacturers, distributors, and retailers, further up or down the chain.
Fraudulent emails are designed to make recipients hand over sensitive information, extort money or trigger malware installation on Information Communication Technologies. These threats often carry a financial liability to one or all those involved in the supply chain. Preventative cyber protection offers a strong first-line defense by blocking deceptive messages from ever reaching staff inboxes. Malicious hackers are developing new techniques to evade current detection daily, so it is important to stay up to date.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
Further investigation of breach data using CTAC to query for 10 smaller logistics (trucking) companies yielded 90 compromised credentials in the past 30 days.
Of interest is that attackers can use these compromised email accounts to further pass phishing emails within a target company taking advantage of the victim’s contact list. In trucking, many times smaller companies are subcontracted to deliver goods from larger firms. Email communication between these large and small companies is very common and could be a successful lure for unsuspecting users. The loss of even one user credentials is all it takes for a malicious actor to wreak havoc on the supply chain. We have a recent example of only one credential compromise of a law firm in Louisiana, which resulted in a ransomware attack two months later. It happens.
It is important to:
- Train all levels of the supply chain to realize they are under constant cyber-attack.
- Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to identify a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use strong passwords and maintain an enforceable password policy.
About Red Sky Alliance
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings