August 2025
NMFTA Cyber Intelligence Newsletter
We’re witnessing an uptick in digital threats, from AI-powered ransomware to highly-coordinated attacks targeting vehicle systems and logistics infrastructure. The National Motor Freight Traffic Association, Inc. (NMFTA)™ has designed this monthly e-newsletter to arm you with intelligence, tools, and defense tactics. Each month we cover enterprise system and rolling asset security, trending reports, and more.
The NMFTA 2025 Cybersecurity Conference Will Be Here Before You Know It
October 26-28, 2025 | Austin, TX
With less than three months to go until the trucking industry's only cybersecurity event, the 2025 NMFTA Cybersecurity Conference, now is the perfect time to register before it sells out! Registering now ensures you won’t miss the networking, insights, and hands-on training that could make all the difference for your organization. This year’s agenda is packed with can't-miss sessions that tackle today’s biggest threats, including cyber-enabled cargo theft, phishing, social engineering, protecting sensitive data, and many more.
Experience Can't-Miss Sessions
Ivan Granero
Senior Security Engineer, Bosch
From Words to Action: Harnessing GenAI for Real Text-to-J1939 Applications
Dive into how Generative AI is being used to translate natural language into J1939 commands—bridging the gap between spoken or typed input and the complex machine language used in heavy-duty vehicles. If you're with fleets, OEMs, or telematics providers, this is your chance to understand emerging vulnerabilities—and opportunities—at the intersection of AI and vehicle control.
.png?width=300&height=339&name=MollieBreen-Glitch%20(1).png "MollieBreen-Glitch (1)")
Mollie Breen
CEO and Co-Founder, Perygee Inc.
AI is For More Than Just Finding Threats
Whether you’re drafting presentations, monitoring policy drift, or juggling approval workflows, there's no shortage of time-consuming tasks on your plate. Mollie Breen, CEO & Co-founder of Perygee and former National Security Agency (NSA) mathematician, will unveil practical, real-world applications of AI that go well beyond threat detection. Learn how to streamline your security stack, automate tedious workflows, and reclaim time for what truly matters.
Hands on Session: Risk Registers and Tabletops
Join NMFTA cybersecurity experts for an immersive, hands-on session. Team up with peers to conduct a full business risk assessment and create your own risk register, then transform that into a tabletop exercise—moving from theoretical planning to a practical resilience-building tool that can strengthen your team’s operational readiness. A must-attend for cybersecurity leaders, risk managers, and operations executives focused on business continuity
From Backbone to Battlefront: Salt Typhoon's Espionage Leap from Telecom to the National Guard
The cyber-espionage group Salt Typhoon has shifted its focus from targeting telecommunications infrastructure to infiltrating the National Guard—and the implications for national security and supply chains are alarming. This eye-opening article breaks down how their tactics evolved, what vulnerabilities they’re exploiting, and why the trucking industry should be paying close attention. Read it now and learn what’s at stake.
Scattered Spider: Cyberthreat to the Trucking Industry
The hacking group Scattered Spider has been making headlines for its highly targeted attacks, and the trucking industry is firmly in their sights. Read the article linked below for a break down of who they are, how they operate, and the specific tactics that could put fleets, data, and supply chains at risk.
Have you cracked the code on cargo crime? Cargo thieves have gone digital, and your fleet may be next. Don't wait for a costly breach, download NMFTA’s Cybersecurity Cargo Crime Reduction Framework to take immediate action and safeguard your assets.
August 14, 2025 | 1:00-2:00 pm ET
Today, join NMFTA’s webinar, Risks on the Road: What Trucking Companies Need to Know About Chinese-Made Technology, at 1:00 pm ET. The NMFTA cybersecurity team will uncover how foreign-manufactured devices and components pose threats to your fleet’s safety, data, and long-term viability.
Watch on Demand
Did you miss the real-world cargo theft trends and prevention strategies given at the NMFTA webinar, Panel Insights: NMFTA Cargo Crime Prevention Framework? Rewatch what you missed and learn how to put NMFTA’s new framework into action. Catch up now!
In This Month's Report...
CVE-2025-54309: CrushFTP Zero-Day Exploited in the Wild
On Friday, July 18, 2025, managed file transfer vendor CrushFTP released information to a private mailing list on a new critical vulnerability, tracked as CVE-2025-54309, affecting versions below 10.8.5 and 11.3.4_23 across all platforms. According to the public-facing vendor advisory, this vulnerability in the CrushFTP managed file transfer software web interface is being exploited in the wild. Based on the Indicators of Compromise provided in the advisory, a “last_logins” value set for the internal ‘default’ user account is indicative of exploitation.
Mitigation guidance
According to the advisory, CrushFTP versions below 11.3.4_23 and 10.8.5 are vulnerable to CVE-2025-54309. The latest available patched versions of CrushFTP, as of July 18, 2025, are:
CrushFTP 11.3.4_26
CrushFTP 10.8.5_12
The vendor advisory emphasizes the importance of updating to a fixed version of CrushFTP on an urgent basis. Rapid7 echoes this guidance and urges organizations to apply the vendor-supplied patch on an emergency basis, without waiting for a typical patch cycle to occur.
While the vendor guidance, as of July 18, states “We don't believe people with a DMZ CrushFTP in front of their main are affected by this,” it’s unclear whether this is actually an effective barrier to exploitation. Out of an abundance of caution, Rapid7 advises against relying on a demilitarized zone (DMZ) as a mitigation strategy. The vendor also notes that targeted installations should restore affected user account data from older backups.
Sygnia Uncovers Active Chinese-Nexus Threat Actor Targeting Critical Infrastructure
Sygnia, the foremost global cyber readiness and response team, revealed the findings of their investigation into a prolonged espionage campaign by a China-nexus threat actor, targeting critical infrastructure. Named ‘Fire Ant’ by Sygnia, the adversary is actively leveraging advanced methods to gain access to virtualization and networking environments by creating multi-layer attack kill chains to infiltrate restricted and segmented network assets that were considered to be within isolated environments.
Since early 2025, Sygnia has tracked and responded to Fire Ant incidents, primarily targeting VMware ESXi and vCenter environments, as well as network appliances, to establish a foothold for initial access and long-term advanced persistence. Notably, Fire Ant displays high levels of resilience, actively and stealthily adapting to eradication and containment efforts, replacing toolsets, deploying redundant persistence backdoors and manipulating network configurations to re-establish access to compromised devices.
“Fire Ant shows incredible advanced capabilities to infiltrate and conduct espionage campaigns, avoiding detection and multi-layered traditional security measures by targeting infrastructure blind spots. This highlights the level of resilience and danger posed by nation-state threat actors to global critical infrastructure organizations,” said Yoav Mazor, Head of Incident Response, APJ at Sygnia. “By gaining control over the virtualization management layer, the threat actor was able to extract service account credentials and deploy persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots.”
Fire Ant’s activities are characterized by infrastructure-centric tactics, techniques and procedures (TTPs) enabling activity beneath the detection threshold of traditional endpoint controls, emphasizing critical blind spots of conventional security stacks. The threat actor establishes control over a victim’s VMware ESXi hosts and vCenter servers to move laterally across an organization. Additionally, Fire Ant consistently bypassed network segmentation by compromising network appliances and tunneling across segments, enabling the threat actor to bridge and move deeper within an organization’s infrastructure through legitimate, approved paths.
Mazor adds, “Fire Ant’s method of infiltration places heightened pressure on the cybersecurity community and underscores the importance of visibility and detection within the hypervisor and infrastructure layer where traditional endpoint security tools often struggle to identify malicious activity. Organizations will need to adopt proactive cyber resilience with an advanced multi-layered security approach.”
As part of Sygnia’s investigation into Fire Ant, the company found the tooling and techniques closely align with prior espionage campaigns conducted by nation-state threat actor, UNC3886, currently active in Singapore. Fire Ant’s overlap with UNC3886 includes specific binaries and exploitation of vCenter and ESXi vulnerabilities, as well as similar targeting of critical infrastructure across regions.
Wing FTP Server Remote Code Execution (CVE-2025-47812) Exploited in the Wild
Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible.
CVE-2025-47812 is a null byte and Lua injection flaw that can lead to root/SYSTEM-level remote code execution if exploited. The vulnerability was first publicly disclosed on June 30 by Julien Ahrens in versions prior to 7.4.4 of the Wing FTP Server, its file transfer protocol software for Windows, Linux, and macOS.
At a high level, CVE-2025-47812 stems from how null bytes are handled in the username parameter (specifically related to the loginok.html file, which handles the authentication process). This can allow remote attackers to perform Lua injection after using the null byte in the username parameter.
Huntress first observed exploitation on a customer on July 1, 2025, just a day after the initial write-up was published.
LummaC2 Stealer: Everything You Need to Know
Outpost24’s KrakenLabs team have taken a deep dive into the malware classified as LummaC2, an information stealer written in C language that has been sold in underground forums since December 2022. The Outpost24’s KrakenLabs team assessed LummaC2’s primary workflow, its different obfuscation techniques (like Windows API hashing and encoded strings) and how to overcome them to effectively analyze the malware with ease. The Outpost24’s KrakenLabs team also analyzed how networking communications with the C2 work and summarizes LummaC2’s MITRE Adversarial Tactics, Techniques and Common Knowledge.
What’s new with LummaC2 in 2025?
Recent observations in 2025 indicate that LummaC2 continues to evolve, adapting its tactics to outsmart modern defenses. Key updates include:- Anti-sandbox technique: KrakenLabs researched looked into a new Anti-Sandbox technique LummaC2 v4.0 stealer is using to avoid detonation if no human mouse activity is detected.
- Enhanced evasion techniques: Attackers have upgraded LummaC2 with more sophisticated obfuscation methods and stealth capabilities. The malware now employs advanced memory injection and fileless execution techniques, making it harder for traditional antivirus tools to detect its presence.
- Modular and adaptive architecture: The newer iterations of LummaC2 have embraced a modular design that allows attackers to swiftly add or modify capabilities. This flexibility means the malware can be tailored for specific targets or integrated as part of more complex, multi-stage attack campaigns.
- Exploitation of recent vulnerabilities: New variants are taking advantage of vulnerabilities in up-to-date software systems. Cybercriminals are specifically targeting areas where recent patches might have been overlooked, emphasizing the critical need for timely updates and robust patch management.
- Integration with broader attack ecosystems: In the evolving threat landscape, LummaC2 is increasingly being used in conjunction with other malware and ransomware campaigns. This synergy not only enhances the overall impact of attacks but also complicates detection and remediation efforts.
New NMFTA Study Probes Systemic Vulnerabilities in Fleet Telematics
This month, NMFTA Cybersecurity Research Engineer Anne Zachos launched a new investigation into the hidden vulnerabilities of telematics devices. Partnering with fellow researchers, Anne will examine shared source code across different brands and trace the origins of device components—spotlighting potential risks tied to certain overseas manufacturers. Because many devices use re-branded or white-labeled code, a single flaw could create a systemic security risk for entire fleets. Read the article below and learn more about this critical research.
CISA Announces Release of Thorium for Malware Analysis
Cybersecurity & Infrastructure Security Agency (CISA) has released a deep-dive analysis of Thorium, a sophisticated malware linked to state-sponsored cyber operations. The report details how Thorium infiltrates systems, its stealthy persistence methods, and the sectors most at risk—including transportation and logistics. Read the full analysis to understand the threat and prepare before it strikes.
CrowdStrike 2025 Threat Hunting Report: AI Becomes a Weapon and a Target
CrowdStrike’s latest threat hunting report reveals how cyber adversaries are now leveraging artificial intelligence (AI) to supercharge cyberattacks, making them faster, more targeted, and harder to detect. The findings highlight emerging trends, high-risk sectors, and the evolving tactics that could impact transportation and logistics. Read the full report to stay ahead of this AI-powered threat landscape.
Iranian-Linked Hackers Target U.S. Transportation, Manufacturing Firms
A new report reveals that Iranian state-backed hackers are actively targeting critical U.S. sectors, including transportation and manufacturing, in coordinated cyber espionage campaigns. Using advanced techniques to breach networks and gather intelligence, these actors pose serious risks to supply chain security and operational continuity. Read the full article to understand the threat and how you can protect your organization.
GPU in the Blind Spot: Overlooked Security Risks in Transportation
A newly published arXiv paper dives into groundbreaking research on the vulnerabilities and threats emerging in advanced AI systems. The study examines how these risks could be exploited and offers insights into building more resilient, trustworthy AI. Read the full paper to explore the findings and understand their implications for cybersecurity and technology strategy.
Cybersecurity & Cargo Crime: Reducing Risk for Carriers | NMFTA's Ben Wilkens
Don’t miss this discussion as NMFTA cybersecurity expert Ben Wilkens joins on-air personalities Dave Nemo and Jimmy Mac to explore real-world cargo crime risks and proactive strategies to protect your fleet. Watch now and learn how to strengthen your defenses against evolving threats.
Billions Lost, Freight Exposed: The Real Cyber & Cargo Threats
Cargo theft and cybersecurity breaches are no longer isolated incidents—they’re a growing epidemic in freight.
Rewatch this high-stakes episode of Driving Forward with guest experts Artie Crawford and Ben Wilkens from the NMFTA.
Hosted by Global Logistics Consulting Services (GLCS) Robert Bain, this episode pulls back the curtain on the evolving threats facing trucking companies and freight brokers.
Digital Defense | Joe Ohr & Artie Crawford of the NMFTA
On the latest episode of Optym's Semi-Related Podcast, NMFTA's Chief Operating Officer Joe Ohr and Director of Cybersecurity Artie Crawford join host Jacob Eischen to discuss how dark-web ransomware rentals, AI-forged emails, and hacked telematics give thieves a back-door pass to your freight and how fleets can prepare a road-ready defense plan. They also preview the NMFTA’s Cybersecurity Conference this October and the no-cost tools rolling out to help carriers of every size stay a step ahead of the next breach.
Refer a Colleague
Would you like others at your company to be added to the NMFTA Headline Newsletter email distribution list? Send them this link or fill out the form for them on their behalf below!