May 2026
NMFTA Cyber Intelligence Newsletter
The National Motor Freight Traffic Association, Inc.® (NMFTA)® has designed this monthly e-newsletter to arm you with intelligence, tools, and defense tactics. Each month we cover enterprise system and rolling asset security, trending reports, and more.
NMFTA Appoints Ben Wilkens as Director of Cybersecurity
The trucking and transportation industry is becoming more connected, and that means cybersecurity remains a growing priority for fleets and supply chain leaders alike. Read how Ben Wilkens’ promotion to Director of Cybersecurity reflects NMFTA’s continued commitment to helping the industry stay ahead of emerging risks and strengthen supply chain security.
Why Cargo Theft is a Shared Problem—And the Shared Solution That's Taking Shape
Cargo theft is no longer just a carrier problem—it’s a growing industry-wide threat impacting the entire supply chain. This article explores how collaboration, verified trust, and shared fraud prevention efforts are helping the industry fight back against increasingly sophisticated cargo theft schemes.
Catch NMFTA Experts on the Road
NMFTA To Take the Stage at BlackHat USA
Heading to Black Hat USA 2026 this Summer? If so, catch NMFTA's Ben Gardiner as he reveals in his session how a tractor ECU “noise recall” quietly functioned as a hidden security patch, exposing overlooked cybersecurity risks in commercial vehicle systems and embedded transportation technology.
.png?width=400&height=200&name=Untitled%20design%20(28).png "Untitled design (28)")
NMFTA Cyber Expert to Speak at FTR Event
September 1, 2026 | 1:45-2:30 pm ET
Union Station Conference Center, Indianapolis, IN
NMFTA's Joe Ohr will join Rob Hooper, CEO of Atlantic Logistics, and another expert of fraud for FTR's Navigating Risks of Fraud & Security panel discussion this Fall. The panelists will share how these risks have affected industry stakeholders day to day and the best practices for limiting exposure.
It's Time to Join the Fight
Every day it's a new headline. A shipment of crab legs has been stolen. A train was stopped in the dessert and a container of high-end sneakers were stolen.
Freight fraud is evolving fast—and fighting it takes industry-wide collaboration. Join the Freight Fraud Prevention Hub as a partner to help shape solutions, share expertise, strengthen industry defenses, and connect with leaders committed to protecting the supply chain.
Join the 15 companies that have already signed on as partners.
There is no cost to participate.
Beyond the MC Number: Identifying the DNA of a Freight Scammer
NMFTA's Joe Ohr is back on The Freight Coach Podcast, and he’s pulling back the curtain on the NMFTA’s Freight Fraud Prevention Hub and their advanced Threat Detection Portal. We move past the surface-level checks to examine the behavioral patterns, digital footprints, and social engineering tactics that today’s criminal syndicates use to "wear the skin" of legitimate carriers. This is a masterclass in shifting from a "Checklist Mindset" to an "Intelligence Mindset." If you want to protect your margins and your reputation in 2026, you need to understand the science of the scam.
SAE J2497 Revision Opened: Bringing Cybersecurity to a Legacy Vehicle Protocol
Legacy vehicle protocols weren’t built with today’s cyber threats in mind, and that’s exactly why the reopening of SAE J2497 matters. Learn how NMFTA is helping bring cybersecurity into scope for a decades-old tractor-trailer communication standard to better protect fleets, equipment, and the future of connected transportation.
Your Monthly Webinar Delivered
Governing AI in Trucking—A Practical Framework for Secure Deployment
June 18, 2026 | 1:00-2:00 pm ET
Join NMFTA Director of Cybersecurity, Ben Wilkens, for a discussion about AI-enabled tools and how they are rapidly transforming trucking operations, from dispatch and routing to safety monitoring and back-office automation.
Stay Updated on This Year's Conference
View Jam-Packed Schedule for #NMFTACyber
An event made especially with you in mind. This year's schedule features a mix of keynote presentations, technical sessions, workshops, tabletop exercises, and candid discussions designed to deliver actionable takeaways, not just theory.
In This Month's Report...
Inside an AI-Enabled Device Code Phishing Campaign
Microsoft Defender Security Research has observed a widespread phishing campaign leveraging the device code authentication flow to compromise organizational accounts at scale. While traditional device code attacks are typically narrow in scope, this campaign demonstrated a higher success rate, driven by automation and dynamic code generation that circumvented the standard 15-minute expiration window for device codes. This activity aligns with the emergence of EvilTokens, a phishing-as-a-service (PhaaS) toolkit identified as a key driver of large-scale device code abuse.
This campaign is distinct because it moves away from static, manual scripts toward an AI-driven infrastructure and multiple automations end-to-end. This activity marks a significant escalation in threat actor sophistication since the Storm-2372 device code phishing campaign observed in February 2025.
Ransomware and Cyber Extortion in Q1 2026
Total ransomware posts on data-leak sites in Q1 2026 reached 2,638, up 22% from 2,161 in Q1 2025, reflecting the sustained pressure organizations continue to face.
But the bigger story again this quarter was instability below the top tier, across threat actors, geography, and sector. Established groups still drove large-scale disruption, yet much of the operational pressure came from newer and less established actors. As a result, actor rankings matter less than the ability to detect and disrupt the behaviors that repeatedly drive ransomware impact, including exposed VPN and RDP access; abuse of trusted admin tools; and lateral movement through RDP, Server Message Block (SMB), and Group Policy.
Ransomware-as-a-service (RaaS) groups “Akira” and “Qilin” maintained high victim counts despite quarter-over-quarter declines, while relative newcomer “The Gentlemen” surged into the top three. At the same time, two new data-leak sites, “0APT” and “ALP-001,” highly likely used questionable or fabricated “leak” claims to extort large enterprises. Meanwhile, extortion group “ShinyHunters” continued to show that even threat actors with few named victims can still drive enterprise-scale impact through identity- and software-as-a-service (SaaS)-centered intrusions.
Together, these developments show how fragmented ransomware pressure became in Q1 2026 and where organizations should focus to reduce risk in the quarters ahead.
Securing GitHub: Wiz Research Uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)
Wiz Research uncovered a critical vulnerability (CVE-2026-3854) in GitHub's internal git infrastructure that could have affected both GitHub.com and GitHub Enterprise Server. By exploiting an injection flaw in GitHub's internal protocol, any authenticated user could execute arbitrary commands on GitHub's backend servers with a single git push command - using nothing but a standard git client.
Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified. Despite the complexity of the underlying system, the vulnerability is remarkably easy to exploit. On GitHub.com, this vulnerability allowed remote code execution on shared storage nodes. We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes. On GitHub Enterprise Server, the same vulnerability grants full server compromise, including access to all hosted repositories and internal secrets.
GitHub mitigated this issue on GitHub.com within 6 hours of our report, released patches for all supported versions of GitHub Enterprise Server, and published the CVE at the time of release. GitHub Enterprise Server customers should upgrade immediately - at the time of this writing, our data indicates that 88% of instances are still vulnerable.
CISA Says 'Copy Fail' Flaw Now Exploited to Root Linux Systems
F\A newly exploited Linux vulnerability called “Copy Fail” is putting organizations on high alert after CISA warned attackers are already using it to gain root access on unpatched systems. This article breaks down what the flaw means, why it matters for cybersecurity teams, and the urgency behind patching vulnerable Linux environments.
FBI Warns of Surge in Hacker-Enabled Cargo Theft
The FBI is warning that cargo theft is becoming increasingly cyber-enabled, with hackers targeting brokers and carriers through phishing, spoofed emails, and compromised accounts. This article breaks down how these evolving tactics are reshaping freight fraud, and why stronger cybersecurity and verification practices are more important than ever.
IC Security Threats Spike with Quantum, AI, and Automotive
As AI, connected vehicles, and quantum computing continue to advance, cybersecurity threats targeting chips and automotive systems are becoming more complex and harder to ignore. This article takes a closer look at the growing risks facing modern hardware and why security needs to be built into technology from the very beginning.
The Role of 3PLs in Reducing Supply Chain Cybersecurity Risks
Third-party logistics providers play a bigger role in cybersecurity than many organizations realize, especially as supply chains become more connected and data-driven. This article explores how 3PLs can help reduce cyber risk, strengthen resilience, and protect the broader supply chain from growing digital threats.
Shop Talk with James McQuiggan
On this episode of Shop Talk, edutainer, social engineering expert, CISO advisor, James has worn too many hats in this industry to count, Through it all he's gained invaluable insights and experience that he's ready to share.
Welcome to Shop Talk, Hosted by NMFTA's Own Ben Wilkens
Ben "The Trucking Cyber Guy" Wilkens brings a depth of experience and a unique perspective to trucking cybersecurity that few can claim. Having served in the industry from steering wheel, to server room, to boardroom, and now at the front lines of transportation cybersecurity research and education, he brings unique insights with a wholistic view on the industry. On Shop Talk, he brings in guests from across trucking and cybersecurity for candid conversations, hot takes, and plenty of side quests. Grab a coffee and pull up a chair. Welcome to Shop Talk!
Refer a Colleague
Would you like others at your company to be added to the NMFTA Headline Newsletter email distribution list? Send them this link or fill out the form for them on their behalf below!