June 2026
NMFTA Cyber Intelligence Newsletter
The National Motor Freight Traffic Association, Inc.® (NMFTA)® has designed this monthly e-newsletter to arm you with intelligence, tools, and defense tactics. Each month we cover enterprise system and rolling asset security, trending reports, and more.
Introducing the NMFTA Threat Report Portal
Cyberthreats move quickly, and timely intelligence sharing is critical to protecting the transportation industry. Learn how NMFTA’s new free, anonymous Cybersecurity Threat Report Portal enables organizations to report suspicious activity, share threat information, and help strengthen industry-wide cybersecurity awareness and resilience.
The NMFTA Cybersecurity Conference Is Back. Here Is Why You Need to Be There.
Discover why the 2026 NMFTA Cybersecurity Conference is a must-attend event for transportation and cybersecurity professionals looking to gain actionable insights, learn from industry experts, and stay ahead of emerging risks such as freight fraud, ransomware, and connected vehicle security.
Catch NMFTA Experts on the Road
NMFTA To Take the Stage at Black Hat USA
Heading to Black Hat USA 2026 this Summer? If so, catch NMFTA's Ben Gardiner as he reveals in his session how an ECU “recall” quietly functioned as a security patch, remediating overlooked cybersecurity risks in commercial vehicle systems and embedded transportation technology.
.png?width=400&height=200&name=Untitled%20design%20(28).png "Untitled design (28)")
NMFTA Cyber Expert to Speak at FTR Event
September 1, 2026 | 1:45-2:30 pm ET
Union Station Conference Center, Indianapolis, IN
NMFTA's Joe Ohr will join Rob Hooper, CEO of Atlantic Logistics, and Dale Prax, Strategic Industry Advocate Truckstop.com, for FTR's Navigating Risks of Fraud & Security panel discussion this Fall. The panelists will share how these risks have affected industry stakeholders day to day and the best practices for limiting exposure.
Freight Fraud Resources by Your Peers
Freight fraud continues to evolve, with criminals using increasingly sophisticated tactics to target carriers, brokers, shippers, and logistics providers. Staying informed is one of the most effective ways to reduce risk.
The Freight Fraud Prevention Hub was created to provide the industry with practical resources, tools, and educational content that organizations can put to work immediately. Resources available on the Hub include:
-
Freight Fraud Prevention Best Practices
-
Cargo Crime Reduction Framework
-
Vendor Risk Assessment Framework
-
Cargo Theft Prevention Checklist
-
Carrier Vetting Workflow
These resources are available at no cost and are designed to help transportation professionals strengthen processes, identify warning signs, and better protect their operations.
Securing the Asset: How Cybercriminals Are Targeting You in Freight
NMFTA's Joe Ohr and Ben Wilkens are back on The Freight Coach Podcast, and discussing the critical intersection of transportation and cybersecurity and the stark reality of modern freight fraud!
Your Monthly Webinar Delivered
%20(1).png?width=770&height=512&name=Governing%20AI%20in%20Trucking%20(770x512)%20(1).png "Governing AI in Trucking")
Governing AI in Trucking—A Practical Framework for Secure Deployment
June 18, 2026 | 1:00-2:00 pm ET
Join Erica Brigance, Director of Strategic Partnerships at ArcBest and NMFTA Director at Large, as well as NMFTA's cybersecurity team, for a practical discussion on how transportation organizations can evaluate, deploy, and govern AI technologies while maintaining trust, security, and operational resilience.
Whether your organization is already implementing AI tools or just beginning to evaluate their potential, this webinar will provide actionable insights to help you move forward with confidence.
Threat Intelligence: The Industry's Early Warning System
July 16, 2026 | 1:00-2:00 pm ET
Threat intelligence can provide the critical visibility organizations need to identify emerging cyber risks before they become incidents. Next month, join the NMFTA cybersecurity team for this webinar to learn how effective threat intelligence serves as an early warning system, helping transportation organizations strengthen cybersecurity defenses and make more informed security decisions.
Stay Updated on This Year's Conference
What Past Attendees Are Saying
Hear directly from attendees and industry professionals as they share their experiences and key takeaways from the 2025 Cybersecurity Conference. This testimonial video highlights valuable insights, networking opportunities, and the impact of the event on the cybersecurity community.
Plan your next cybersecurity event experience by visiting nmftacyber.com to learn what’s ahead for the 2026 NMFTA Cybersecurity Conference, taking place September 29–October 1, 2026, in Long Beach, CA. Explore the agenda, featured speakers, educational sessions, networking opportunities, and more.
In This Month's Report...
VPN Exploitation When Patched Doesn't Mean Protected
Between February and March 2026, ReliaQuest identified activity that we assess with medium confidence to be the first in-the-wild exploitation of CVE-2024-12802, targeting SonicWall devices across multiple environments. CVE-2024-12802 is an authentication bypass vulnerability in SonicWall appliances that reduces VPN security to single-factor authentication. Disclosed in early 2025, it’s the latest in a series of VPN vulnerabilities exploited to gain initial access to corporate networks.
On Gen6 devices, the firmware patch alone doesn’t remediate the vulnerability. Six additional manual reconfiguration steps are required. SonicWall documented those steps in its advisory, but standard patch-management workflows aren't designed to verify them: The firmware updates, the version check passes, and the device appears remediated while remaining fully exploitable. For any organization that relies on firmware version alone to confirm remediation, this is a blind spot, and it’s not unique to SonicWall.
In the intrusions we observed, threat actors brute-forced VPN accounts and bypassed MFA to gain access to internal networks. The tools observed were consistent with actors operating in the ransomware ecosystem. In some cases, as few as 13 brute-force attempts separated an attacker from a valid credential. In one environment, they reached a file server within 30 minutes and deployed tools consistent with pre-ransomware staging. Intrusions left the same signal in the logs: A session type associated with automated VPN authentication that most organizations are unlikely to be monitoring today.
MiniPlasma: Windows Privilege Escalation Zero-Day Affects Fully Patched Systems
MiniPlasma is a local privilege escalation exploit targeting CVE-2020-17103, a vulnerability in the Windows Cloud Filter driver (cldflt.sys). The flaw was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020, assigned a CVE, and reportedly patched in December of that year.
According to Chaotic Eclipse, either the patch was never properly applied or was silently rolled back at some point. The researcher states that the original Google Project Zero proof-of-concept code worked without any modifications. MiniPlasma is a weaponized version of that same PoC, modified to spawn a SYSTEM shell rather than simply demonstrate the flaw.
The vulnerability targets the HsmOsBlockPlaceholderAccess routine within the Cloud Filter driver, the component Windows uses to support cloud-backed file handling in OneDrive and similar services. The flaw allows registry key manipulation via the undocumented CfAbortHydration API, enabling an attacker to create a key in the DEFAULT user hive without access checks. That path leads to privilege escalation and SYSTEM-level code execution.
This is not the first time this driver component has been exploited. In December 2025, Microsoft patched a separate privilege escalation flaw in the same component, CVE-2025-62221, which it confirmed was being actively exploited in the wild at the time of patching.
The exploit is a race condition, so success rate may vary. In practice, researchers at ThreatLocker confirmed the exploit works on fully patched Windows 11. Will Dormann, Principal Vulnerability Analyst at Tharros, has noted it does not appear to function on the Windows 11 Insider Preview Canary build.
Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT
In early April 2026, eSentire's Threat Response Unit (TRU) identified an intrusion targeting a customer in the legal industry. Threat actors used Microsoft Teams voice phishing (vishing) to deceive the victim into granting remote access via Quick Assist, then deployed a Java-based remote access trojan (RAT).
TRU tracks this malware as Nimbus RAT, which Rapid7 previously documented in connection with BlackSuit affiliate activity following Black Basta's internal conflict in early 2025. Nimbus RAT is a self-contained implant that uses Google Drive and Google Sheets for command-and-control (C2), helping its network traffic appear benign.
The intrusion followed a well-established vishing kill chain: the targeted user's mailbox was flooded with hundreds of subscription confirmation emails; an actor-controlled Microsoft Teams account posing as IT helpdesk reached out to the user offering assistance, and the user was walked through launching Quick Assist and downloading a payload from a compromised Microsoft 365 tenant. From initial Teams contact to RAT execution, the attack took less than 20 minutes.
TRU also analyzed over a year's worth of external Teams messaging telemetry across our customer base and identified 1,540 similar events targeting 172 distinct customer environments, with a sharp surge in activity between December 2025 and March 2026.
The data reveals consistent infrastructure patterns, including the heavy use of throwaway Microsoft 365 tenants, freshly registered .top domains, and hosting-provider source IPs, that help defenders distinguish malicious Teams external messages from legitimate vendor traffic.
Cyber-Enabled Strategic Cargo Theft Surging
The Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center (IC3) is warning organizations and individuals about emerging cyber threats and scams targeting victims online. This public service announcement outlines key warning signs, current threat trends, and practical steps you can take to better protect yourself and your organization from cyber-enabled crime.
New Executive Order Highlights AI's Growing Role in Cybersecurity
On June 2, 2026, President Trump signed Executive Order 14409, Promoting Advanced Artificial Intelligence Innovation and Security, establishing a federal framework aimed at advancing AI innovation while addressing the cybersecurity and national security challenges that accompany increasingly powerful AI systems. For the trucking and logistics industry, the order reinforces a reality that organizations are already beginning to face.
Iran-linked Hackers Target "Low-Hanging Fruit" at US Gas Stations
Cyberthreats targeting critical infrastructure continue to evolve, underscoring the importance of strong cybersecurity practices across essential services. Read how Iranian-linked hackers are targeting fuel system technology in the United States and what the incident reveals about emerging threats to operational technology and critical infrastructure security.
More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild
The number of exploited vulnerabilities continues to grow, but attackers are often relying on familiar tactics to gain access and compromise organizations. In this Proofpoint analysis, learn which vulnerabilities are being actively exploited in the wild and what cybersecurity teams can do to prioritize defenses and reduce risk.
Catch Up on All the Latest Shop Talk Episodes with Ben Wilkens
Refer a Colleague
Would you like others at your company to be added to the NMFTA Headline Newsletter email distribution list? Send them this link or fill out the form for them on their behalf below!