Freight Brokers Targeted: Hackers Use RMM Tools in Supply Chain Heist (2024)
Executive Summary
In 2024, cybercriminals executed a targeted supply chain attack against freight brokerages and trucking carriers by exploiting phishing emails and malicious links. Attackers used remote monitoring and management (RMM) tools to infiltrate corporate systems, taking control of freight scheduling and logistics platforms. This allowed the threat actors to manipulate cargo shipments, redirect valuable freight, and orchestrate the theft of physical goods. The attack revealed significant gaps in internal segmentation, endpoint security, and east-west visibility, resulting in financial loss, disrupted operations, and reputational impact across the logistics sector.
This incident highlights an emerging trend in the weaponization of legitimate IT tools like RMMs for high-value supply chain attacks. As threat actors innovate with living-off-the-land techniques, organizations with critical logistics functions face heightened scrutiny from regulators and renewed urgency to close visibility and segmentation gaps.
Why This Matters Now
The increasing abuse of remote access software in the logistics sector exposes urgent security and compliance challenges. With attackers leveraging RMM tools for stealthy lateral movement and business disruption, immediate action is needed to bolster segmentation, threat detection, and incident response across supply chains handling critical goods.
Attack Path Analysis
Attackers initiated the breach by phishing freight brokers and trucking carriers to deploy remote monitoring and management (RMM) tools, establishing unauthorized access. Privilege escalation likely occurred as adversaries leveraged RMM access to gain elevated permissions within cloud and operational systems. With internal access, attackers moved laterally across hybrid and multicloud environments to reach critical assets, such as cargo management systems. Command & Control was achieved via persistent RMM connectivity, allowing real-time adversary actions and hands-on-keyboard operations. Sensitive cargo and shipment data was then exfiltrated using covert outbound channels permitted by weak egress controls. The attack’s ultimate impact was the hijacking of freighters and theft of physical cargo, disrupting business and damaging supply chain integrity.
Kill Chain Progression
Initial Compromise
Description
Attackers sent targeted phishing emails containing malicious links to freight and trucking firms, leading victims to inadvertently install RMM tools that provided remote foothold.
Related CVEs
CVE-2025-4428
CVSS 7.2A remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated attackers to execute arbitrary code via specially crafted API requests.
Affected Products:
Ivanti Endpoint Manager Mobile (EPMM) – <= 12.5.0.0
Exploit Status:
exploited in the wildCVE-2025-4427
CVSS 5.3An authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated attackers to access protected resources via the API component.
Affected Products:
Ivanti Endpoint Manager Mobile (EPMM) – <= 12.5.0.0
Exploit Status:
exploited in the wildCVE-2025-8875
CVSS 8.8An insecure deserialization vulnerability in N-able N-central allows authenticated attackers to execute arbitrary code.
Affected Products:
N-able N-central – < 2025.3
Exploit Status:
exploited in the wildCVE-2025-8876
CVSS 8.8A command injection vulnerability in N-able N-central allows authenticated attackers to execute arbitrary commands.
Affected Products:
N-able N-central – < 2025.3
Exploit Status:
exploited in the wildCVE-2024-12686
CVSS 6.5An OS command injection vulnerability in BeyondTrust's Privileged Remote Access and Remote Support products allows authenticated attackers to execute operating system commands.
Affected Products:
BeyondTrust Privileged Remote Access – <= 24.3.1
BeyondTrust Remote Support – <= 24.3.1
Exploit Status:
exploited in the wildCVE-2024-57727
CVSS 7.5A path traversal vulnerability in SimpleHelp Remote Monitoring and Management (RMM) software allows unauthenticated attackers to retrieve arbitrary files from the underlying operating system.
Affected Products:
SimpleHelp Remote Monitoring and Management – <= 5.5.7
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
User Execution: Malicious Link
Remote Access Software
Valid Accounts
Ingress Tool Transfer
Event Triggered Execution: Services
Remote Services: Remote Desktop Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Strong Access Management for Users and Systems
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Requirements
Control ID: Article 9(2)
CISA Zero Trust Maturity Model 2.0 – User Authentication and Access Controls
Control ID: Identity Pillar – Authentication and Access
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Logistics/Procurement
Direct targeting of freight brokers and trucking carriers through RMM tool deployment creates critical supply chain vulnerabilities enabling cargo hijacking and shipment theft.
Transportation
RMM-based attacks compromise transportation networks through malicious emails, enabling threat actors to intercept and redirect physical cargo shipments via remote access.
Package/Freight Delivery
Supply chain attacks targeting delivery infrastructure through remote monitoring tools pose significant risks to cargo security and operational continuity across shipping networks.
Information Technology/IT
RMM tool exploitation demonstrates critical need for enhanced egress security, anomaly detection, and zero trust segmentation to prevent unauthorized remote access deployments.
Sources
- Hackers use RMM tools to breach freighters and steal cargo shipmentshttps://www.bleepingcomputer.com/news/security/hackers-use-rmm-tools-to-breach-freighters-and-steal-cargo-shipments/Verified
- Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencieshttps://www.bleepingcomputer.com/news/security/ivanti-epmm-flaw-exploited-by-chinese-hackers-to-breach-govt-agencies/Verified
- Vulnerabilities in MSP-friendly RMM solution exploited in the wild (CVE-2025-8875, CVE-2025-8876)https://www.helpnetsecurity.com/2025/08/14/vulnerabilities-in-msp-friendly-rmm-solution-exploited-in-the-wild-cve-2025-8875-cve-2025-8876/Verified
- CISA: BeyondTrust flaw CVE-2024-12686 exploited in the wildhttps://www.techtarget.com/searchSecurity/news/366618092/CISA-BeyondTrust-flaw-CVE-2024-12686-exploited-in-the-wildVerified
- Ransomware Actors Exploit CVE-2024-57727 in Unpatched SimpleHelp RMMhttps://www.picussecurity.com/resource/blog/ransomware-actors-exploit-cve-2024-57727-in-unpatched-simplehelp-rmmVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, rigorous east-west traffic control, robust egress enforcement, and continuous threat detection would have significantly constrained each stage of the breach, limiting attacker reach, blocking data exfiltration, and enabling prompt detection and response.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of abnormal RMM tool installation and alerting before full compromise.
Control: Zero Trust Segmentation
Mitigation: Limited attacker movement by enforcing least privilege and microsegmentation.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized workload-to-workload communication, containing the breach.
Control: Cloud Firewall (ACF)
Mitigation: Detection or disruption of unusual outbound management channel activity.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented data exfiltration to external unapproved destinations.
Rapid incident response with centralized visibility, reducing dwell time and limiting business impact.
Impact at a Glance
Affected Business Functions
- Logistics
- Supply Chain Management
- Dispatch Operations
Estimated downtime: 5 days
Estimated loss: $5,000,000
Potential exposure of sensitive logistics data, including shipment schedules, cargo details, and client information, leading to unauthorized access and theft of physical goods.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least-privilege access to prevent lateral attacker movement post-compromise.
- • Implement advanced threat detection for early identification of unauthorized RMM deployments and anomalous behavior across cloud and on-prem systems.
- • Require robust egress filtering and dynamic policy enforcement to block covert data exfiltration and command & control channels.
- • Enhance east-west traffic security and microsegmentation across all network tiers, including hybrid and multicloud environments.
- • Centralize visibility and governance with automated incident response to rapidly contain threats before they impact business or supply chain operations.
