{
	"id": "b4859aa1-8a3f-4563-ae39-bd7bb13f47db",
	"created_at": "2026-04-06T00:07:51.156734Z",
	"updated_at": "2026-04-10T13:11:36.483494Z",
	"deleted_at": null,
	"sha1_hash": "00ea23dc9e024425214d6b6b22a3ba490ce6f7c0",
	"title": "Exploits and TrickBot disrupt manufacturing operations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 476170,
	"plain_text": "Exploits and TrickBot disrupt manufacturing operations\r\nBy Mark Stockley\r\nPublished: 2022-08-24 · Archived: 2026-04-05 22:06:44 UTC\r\nSeptember 2021 saw a huge spike of exploit detections against the manufacturing industry, with a distributed\r\nspread between California, Florida, Ohio, and Missouri.  This is combined with heavy detections of unseen\r\nmalware, identified through our AI engine, spiking in May as well as September 2021.\r\nMay brought with it a flood of attacks that exploited the Dell system driver exploit (CVE-2021-21551), where we\r\nobserved the greatest number of detections in Michigan. During this month, JBS, one of the largest meat suppliers,\r\nwas targeted by the REvil group who likely exploited this vulnerability to infiltrate the network. By June, overall\r\ndetection of this threat against manufacturing firms began to fall significantly, with only about two dozen\r\ndetections averaged between November 2021 and June 2022.\r\nIn the first half of the year, we observed spiking detections of threats associated with tech support scams. These\r\nthreats install applications on the system that create fake error messages, urging the user to call a “help center”\r\nthat is, in reality, a scam operation. These spikes were in March and May 2021 and focused primarily on firms in\r\nNew York and Texas. However, detections of this threat declined steadily through the rest of the analyzed\r\ntimeframe.\r\nFigure 1. United States manufacturing threat family detections by month\r\nThe notorious TrickBot Trojan was detected constantly throughout 2021, with small spikes in February and\r\nSeptember 2021 and February 2022. This threat is very capable of infecting a single endpoint, and by using\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/exploits-and-trickbot-disrupt-manufacturing-operations\r\nPage 1 of 4\n\nadditional tools and features, can compromise the entire network, often for the benefit of launching additional\r\nmalware.\r\nArticle continues below this ad.\r\nWhile our detections of TrickBot focused on attacks in New York, the fallout from the September spike saw three\r\nmore manufacturer breaches, all in October. Victims of these attacks included the candy maker Ferrara, who was\r\ntargeted right before Halloween, and the cookware company Meyer, whose employee data was leaked.\r\nSchreiber Foods, a cheese manufacturer, dealt with attacks attempting to disrupt plant and distribution center\r\noperations. That attack actually caused a nationwide shortage for cream cheese!\r\nFigure 2. United States manufacturing family threat detections pie chart\r\nFinally, manufacturing companies in North Carolina dealt with heavy information stealing spyware during the first\r\nfew months of 2021, with a gradual decline to December 2021. However, that trend reversed in January 2022 with\r\nnew spikes in February and April 2022.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/exploits-and-trickbot-disrupt-manufacturing-operations\r\nPage 2 of 4\n\nBetween February and May 2022, the industry dealt with significant manufacturer breaches. For example, the\r\nvideo card maker NVIDIA dealt with a significant attack in February 2022; March saw the infection of the tool\r\nmanufacturer Snap-On Tools by Conti ransomware; in April there was an operation against General Motors; and\r\nin May, infiltration of the agricultural company, AGCO.\r\nExploits were a serious issue for the manufacturing industry in 2021. In fact, the JBS attack coincides with spikes\r\nof certain exploits, and after a huge spike in exploit detections during September, we observed three attacks in a\r\nsingle month. One of those attacks disrupted operations and caused a nationwide supply chain issue.\r\nHowever, things aren’t the same in 2022, and detections for exploits have dropped significantly. Despite that,\r\nwe’ve seen at least four major manufacturing attacks occur between February and May 2022, with threats like\r\ntrojans, information stealers and backdoors possibly to blame for the breaches. \r\nRecommendations for the manufacturing industry\r\nWith all that in mind, we recommend that businesses who operate in the manufacturing industry consider the most\r\nimportant part of their security plan, which is to keep things moving. Therefore, we highly recommend that there\r\nbe some division between networks for offices, plants, and distribution centers to reduce the chance that an\r\ninfection of an endpoint will lead to a factory needing to shut down.\r\nCombine this with a security playbook which will inform all staff on what procedures need to be followed if a\r\ncyberattack is discovered. For example, who to call, what systems to secure, etc. In the case of manufacturing\r\nfirms, it’s important to describe how to keep operations continuing, even during an active breach.\r\nHistorically, exploit protection has been very important for this industry, so utilizing anti-exploit technology to\r\nblock these types of attacks on all endpoints and servers will greatly reduce the chance attackers can use this\r\nmethod for infiltration. \r\nNext, the discovery of a lot of tech support scam malware could be the result of users who have too many rights\r\non their endpoint, installing third-party, unverified software onto their corporate systems. So doing a thorough\r\naudit of user accesses and rights on their endpoint will reduce the junk they are able to install and greatly reduce\r\nthe chance that junk will be bundled with something nasty.\r\nFinally, the discovery of so many TrickBot attacks against this industry means that manufacturing is clearly a top\r\ntarget for this group. TrickBot frequently compromises every endpoint in a network before preparing it for a\r\nransomware attack. Ransomware attacks that disrupt operations and start bleeding the company money are more\r\nlikely to be quickly resolved, so going after manufacturing firms is a great way to get paid quick. To protect\r\nagainst this threat, you need to use anti-malware software that uses behavior as well as signatures to identify\r\nTrickBot and quickly remove it from the system.\r\nIn addition, TrickBot has multiple methods of initial infection, including phishing attacks against employees, so\r\neducating staff on how to recognize phishing is a great idea. But going one step further would be to deploy a\r\nphishing button in your organization’s email client. This make it easy for employees to submit a suspect email to\r\nbe analyzed by the security team for any malicious intent.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/exploits-and-trickbot-disrupt-manufacturing-operations\r\nPage 3 of 4\n\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2022/08/exploits-and-trickbot-disrupt-manufacturing-operations\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/08/exploits-and-trickbot-disrupt-manufacturing-operations\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.malwarebytes.com/blog/threat-intelligence/2022/08/exploits-and-trickbot-disrupt-manufacturing-operations"
	],
	"report_names": [
		"exploits-and-trickbot-disrupt-manufacturing-operations"
	],
	"threat_actors": [],
	"ts_created_at": 1775434071,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00ea23dc9e024425214d6b6b22a3ba490ce6f7c0.pdf",
		"text": "https://archive.orkl.eu/00ea23dc9e024425214d6b6b22a3ba490ce6f7c0.txt",
		"img": "https://archive.orkl.eu/00ea23dc9e024425214d6b6b22a3ba490ce6f7c0.jpg"
	}
}