{
	"id": "016777a5-398b-4cbc-9685-27feaf12458a",
	"created_at": "2026-04-06T00:07:06.976427Z",
	"updated_at": "2026-04-10T03:20:03.946103Z",
	"deleted_at": null,
	"sha1_hash": "79686ceb6f12cc268d001a5db07777186a7de667",
	"title": "Cybercrime underground flush with shipping companies’ credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42431,
	"plain_text": "Cybercrime underground flush with shipping companies’\r\ncredentials\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-06 00:04:46 UTC\r\nOne of the lingering impacts of the COVID-19 pandemic is the havoc it has wreaked on the global supply chain.\r\nThere have been extreme fluctuations in the availability of goods, ports around the world are severely backlogged\r\nwith full containers, and shipping and logistics companies are having trouble finding workers to transport cargo. It\r\nis a precarious situation for this sector, especially as the holiday season approaches.\r\nWith things as volatile as they are, a cybersecurity crisis at one of these logistics and shipping companies could\r\nhave a calamitous impact on the global consumer economy. Over the past few months, Intel 471 has observed\r\nnetwork access brokers selling credentials or other forms of access to shipping and logistics companies on the\r\ncybercrime underground. These companies operate air, ground and maritime cargo transport on several continents\r\nthat are responsible for moving billions of dollars worth of goods around the world.\r\nThe actors responsible for selling these credentials range from newcomers to the most prolific network access\r\nbrokers that Intel 471 tracks. These actors have obtained these credentials by leveraging well-known\r\nvulnerabilities in remote access solutions like Remote Desktop Protocol (RDP), VPN, Citrix, and SonicWall,\r\namong others.\r\nAmong the advertisements observed by Intel 471:\r\nWithin the span of two weeks in July 2021, one new actor and one well-known access broker claimed to\r\nhave access to a network owned by a Japanese container transportation and shipping company. The new\r\nactor included the company’s credentials in a dump of approximately 50 companies, allegedly all obtained\r\nvia compromised Citrix, Cisco, virtual private network (VPN) and/or remote desktop protocol (RDP)\r\naccounts. The well-known actor claimed to have access to several accounts belonging to the company, but\r\ndid not reveal how they were obtained.\r\nIn August 2021, one actor known to work with groups that have deployed Conti ransomware claimed\r\naccess to corporate networks belonging to a U.S.-based transportation management and trucking software\r\nsupplier and a U.S.-based commodity transportation services company. The actor gave the group access to\r\nan undisclosed botnet powered by malware that included a virtual network computing (VNC) function. The\r\ngroup used the botnet to download and execute a Cobalt Strike beacon on infected machines, so group\r\nmembers in charge of breaching computer networks received access directly via a Cobalt Strike beacon\r\nsession.\r\nIn September 2021, an actor with ties to the FiveHands ransomware group claimed access to hundreds of\r\ncompanies, including a U.K.-based logistics company. It’s most likely that access was obtained through a\r\nSonicWall vulnerability, given that FiveHands is known to use that access to launch its ransomware\r\nhttps://intel471.com/blog/shipping-companies-ransomware-credentials\r\nPage 1 of 2\n\nattacks. Additionally in September, a new actor claimed to have gained access to a Bangladesh-based\r\nshipping and logistics company through a vulnerability in the PulseSecure VPN.\r\nIn October 2021, a newcomer to a well-known cybercrime forum claimed access to the network of a U.S.-\r\nbased freight forwarding company, alleging that he had had local administrator rights and could access 20\r\ncomputers on the company’s network. The actor claimed he obtained the credentials through a path\r\ntraversal vulnerability in Fortinet’s FortiGate secure sockets layer (SSL) VPN web portal (CVE-2018-\r\n13379). Also in October, a newcomer on a different well-known cybercrime forum claimed access to a\r\nMalaysian logistics company. Those credentials were part of a package that the actor was selling for\r\n$5,000. It was unknown how he allegedly obtained those credentials.\r\nThe world has previously seen the economic damage that can come from a cyber attack on the shipping and\r\nlogistics industry. The NotPetya attack in 2017 devastated Danish shipping and maritime giant Maersk, shutting\r\ndown several of its ports and costing the company $300 million to replace systems damaged by the malware.\r\nAdam Banks, head of technology at Maersk, told a business publication in 2019 that “there was 100 [percent]\r\ndestruction of anything based on Microsoft that was attached to the network.”\r\nWe have seen attackers try to go after ports this year. In August, suspected foreign government-backed hackers\r\nbreached a computer network at the Port of Houston, one of the largest ports on the U.S. Gulf Coast. However,\r\nearly detection of the incident thwarted any attempts to impede business operations.\r\nThose two incidents show that the logistics industry is constantly targeted, and the ramifications of a cyberattack\r\ncan have a crippling ripple effect on the global economy. At a time when this sector is struggling to keep things\r\noperating, a successful attack could bring this industry to a screeching halt, resulting in unforeseen dire\r\nconsequences for every part of the consumer economy. It's extremely beneficial that security teams in the shipping\r\nindustry monitor and track adversaries, their tools and malicious behavior to stop attacks from these criminals.\r\nProactively addressing vulnerabilities in times of high alert avoids further stress on already constrained business\r\noperations.\r\nSource: https://intel471.com/blog/shipping-companies-ransomware-credentials\r\nhttps://intel471.com/blog/shipping-companies-ransomware-credentials\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/shipping-companies-ransomware-credentials"
	],
	"report_names": [
		"shipping-companies-ransomware-credentials"
	],
	"threat_actors": [],
	"ts_created_at": 1775434026,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79686ceb6f12cc268d001a5db07777186a7de667.pdf",
		"text": "https://archive.orkl.eu/79686ceb6f12cc268d001a5db07777186a7de667.txt",
		"img": "https://archive.orkl.eu/79686ceb6f12cc268d001a5db07777186a7de667.jpg"
	}
}