November 2025
NMFTA Cyber Intelligence Newsletter
The National Motor Freight Traffic Association, Inc. (NMFTA)™ has designed this monthly e-newsletter to arm you with intelligence, tools, and defense tactics. Each month we cover enterprise system and rolling asset security, trending reports, and more.
Is Cargo Theft the New Face of Crime?
This edition of The Freight Coach podcast's newsletter spotlights NMFTA's very own, Ben Wilkens, who shares raw insights on what it takes to thrive in today’s freight market—from building trust with customers to staying resilient through industry shifts. 🚛 Tune in to hear real talk about relationships, reputation, and the mindset that keeps top performers moving forward.
NMFTA Submits Comments to Federal Register for Cargo Theft
Cargo theft remains one of the most persistent and evolving threats to the U.S. supply chain. NMFTA urged the Department of Transportation through its DOT Docket Number DOT-OST-2025-1326 to take decisive action to address both traditional and cyber-enabled cargo theft through coordinated, data-driven, and industry-supported initiatives. NMFTA submitted comments which featured key threats, modal risk assessment, barriers to response, and more.
Your Monthly Mix of Blogs and Webinars
.png?width=400&height=267&name=CyberWebinar-Template-7-600x400%20(1).png "CyberWebinar-Template-7-600x400 (1)")
November 13, 2025 | 1:00-2:00 pm ET
Happening today, join the NMFTA cybersecurity team for a no-charge, webinar recapping the insights you missed from the 2025 NMFTA Cybersecurity conference. Listen in live as they unpack the top trends, cyberattacks, and defense strategies that shaped this year’s conference.
November 20, 2025 | 1:00-2:00 pm ET
Happening next week, the NMFTA cybersecurity team will host a complimentary webinar featuring guest speaker Melanie Padron, the vice president of strategic growth from IT ArchiTeks. Join them live as they uncover the top 10 cybersecurity gaps most frequently identified in fleet security assessments. Plus, learn how outdated assumptions about IT, managed service providers (MSPs), and cloud security may be putting your company at risk.
Cybersecurity is a Team Sport:
NMFTA's 2025 Conference Lit Up Austin
Cybersecurity isn’t a solo mission—it’s a full team effort. The latest recap from NMFTA 2025 Cybersecurity Conference dives into how industry leaders came together in Austin to tackle threats, build collaboration, and bring freight security into the spotlight.
Don't Let Cyber Thieves Steal Your Next Load
Digital manipulation, fake pickup requests, and identity hijacking are on the rise. NMFTA’s Cybersecurity Cargo Crime Reduction Framework is here to help you to understanding how modern cargo theft works. Don't wait for a costly breach, download to take immediate action and safeguard your assets.
PLUS: Download the free Vendor Risk Assessment Framework and get a practical checklist and scoring model to evaluate, onboard, and monitor third-party vendors.
In This Month's Report...
Remote Access, Real Cargo: Cybercriminals Targeting Trucking and Logistics
Proofpoint is tracking a cluster of cybercriminal activity that targets trucking and logistics companies and infects them with remote monitoring and management (RMM) tooling for financial gain. Based on their ongoing investigations paired with open-source information, Proofpoint assesses with high confidence that the threat actors are working with organized crime groups to compromise entities in the surface transportation industry—in particular trucking carriers and freight brokers—to hijack cargo freight, leading to the theft of physical goods. The stolen cargo most likely is sold online or shipped overseas. Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics.
In the observed campaigns, threat actors aim to infiltrate companies and use their fraudulent access to bid on real shipments of goods to ultimately steal them. The observed campaigns described in this report are similar to activity Proofpoint researchers previously detailed in September 2024. However, they cannot assess with high confidence whether historic and current campaigns are conducted by the same or multiple groups; thus, Proofpoint is not attributing the activity to a tracked threat actor.
GlassWorm Self-Propagating VSCode Extension Worm
GlassWorm is the first self-propagating worm targeting VS Code extensions on OpenVSX marketplace. The attack uses invisible Unicode characters to hide malicious code from code editors and review processes, combined with blockchain-based command and control infrastructure on the Solana blockchain that cannot be taken down.
Seven OpenVSX extensions were compromised on October 17, 2025, with 35,800 total downloads, and ten extensions were still actively distributing malware two days later. The malware harvests NPM, GitHub, and Git credentials, targets 49 different cryptocurrency wallet extensions, deploys SOCKS proxy servers turning developer machines into criminal infrastructure, and installs hidden VNC servers for complete remote access. The stolen credentials are used to automatically compromise additional packages and extensions, creating exponential spread through the developer ecosystem. It uses Google Calendar as backup C2 server. This means Glassworm is using a triple layer C2 set up with the Solana blockchain, the use of a direct IP connection and Google Calendar, making it very robust.
Ransomware and Cyber Extortion in Q3 2025
Ransomware threats reached a tipping point in Q3 2025, driven by major developments across the ecosystem. The hacking collective “Scattered Spider” teased its first ransomware-as-a-service (RaaS) offering, while long-standing ransomware operator “LockBit” announced its intent to target critical infrastructure through its new affiliate program. Meanwhile, a powerful alliance between leading ransomware groups has raised the stakes for organizations worldwide. Adding to the tumult, the number of data-leak sites hit a record high, with emerging groups expanding into new regions and industries.
While the number of organizations listed on data-leak sites for extortion remained steady compared to Q2 2025, this quarter was defined by significant developments reshaping the ransomware ecosystem.
- Scattered Spider teases its first RaaS: “ShinySp1d3r RaaS” marks the first major RaaS from English-speaking cybercriminals;
- LockBit eyes critical infrastructure: LockBit releases its “LockBit 5.0” affiliate program, allowing affiliates to target sectors typically off-limits under RaaS rules;
- New alliances between ransomware giants: “DragonForce,” “Qilin,” and LockBit form a partnership poised to escalate attacks; and
- Ransomware spreads globally: The number of active data-leak sites hit an all-time high of 81, driving attacks into new regions like Thailand, which saw a 69% surge in listings fueled by the newly emerged “Devman2” group.
The ransomware threat has reached unprecedented levels—with a record number of data-leak sites, major collaborations, and expansion by emerging groups putting organizations across all industries and regions at risk. This report highlights the critical shifts in ransomware every CISO must know.
SesameOp: Novel Backdoor Uses OpenAI Assistants API for Command and Control
Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as a C2 channel as a way to stealthily communicate and orchestrate malicious activities within the compromised environment. To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs.
The backdoor, which Microsoft named SesameOp, was discovered in July 2025, when DART researchers responded to a sophisticated security incident, where the threat actors had maintained a presence within the environment for several months prior to the engagement. The investigation uncovered a complex arrangement of internal web shells, which were responsible for running commands relayed from persistent, strategically placed malicious processes. These processes leveraged multiple Microsoft Visual Studio utilities that had been compromised with malicious libraries, a defense evasion method known as .NET AppDomainManager injection.
Hunting across other Visual Studio utilities loading unusual libraries led to the discovery of additional files that could facilitate external communications with the internal web shell structure. Analysis of one such artifact identified SesameOp, a covert backdoor purpose-built to maintain persistence and allow a threat actor to stealthily manage compromised devices. The stealthy nature of SesameOp is consistent with the objective of the attack, which was determined to be long term-persistence for espionage-type purposes.
This blog post outlines our analysis of SesameOp and its inner workings and highlights the capability of threat actors to adjust their tactics, techniques, and procedures (TTPs) in response to rapid technological developments. We’re sharing these findings with the broader security research community to help disrupt this backdoor and improve defenses against this and similar threats.
Grand Theft Telematics: Kaspersky Finds Security Flaws that Threaten Vehicle Safety
Hackers are finding new ways to hijack connected vehicles—and Kaspersky’s latest report exposes just how real the threat is. Read the article below and learn how cybercriminals can exploit telematics systems and what you can do to keep your fleet and data safe on the road.
.png?width=500&height=160&name=Vic%20One%20Cyber%20Conf%20(1).png "VicOne")
VicOne Situational Awareness Report: Cybersecurity in the Automotive, Transportation, and Logistics Sectors in Q3 2025
Cyberattacks are ramping up across trucking and logistics—and VicOne’s latest report shows just how serious it’s getting. With 90 ransomware attacks and 34 major data leaks in Q3 2025 alone, it’s time to see how these threats are evolving and what fleets can do to stay protected.
Cybercrime Groups Team with Organized Crime in Massive Cargo Theft Campaign
Cybercrime rings are teaming up with organized theft gangs to hijack huge volumes of cargo using remote-access tools against trucking and freight firms. Read as NMFTA's Artie Crawford sounds off in this recent article which uncovers startling numbers, undercover tactics, and real danger for your supply chain.
'TruffleNet' Attack Wields Stolen Credentials Against AWS
Cyber cloud attacks are no longer rare. According to Fortinet AI, threat actors used stolen credentials to infiltrate Amazon Web Services (AWS) environments, abuse SES messaging services, run reconnaissance across hundreds of nodes and launch large-scale business email compromise schemes. Read the article below and learn how identity misuse in the cloud could expose your operations—and what you can do to lock things down before it’s too late.
Oracle Silently Fixes Zero-Day Exploit Leaked by ShinyHunters
Cybercriminals leaked a proof-of-concept exploit for Oracle E‑Business Suite—and the vendor quietly patched a zero-day (CVE-2025-61884) that let attackers breach servers without authentication. Read the article below to learn how it was done and how you can make sure your patch management is locked in and systems are updated.
Cybersecurity for Carrier Partners:
Check Call
In a recent episode of FreightWaves' Check Call, a podcast designed for 3PLs and brokers, host Mary O'Connell dove into a new partnership between the NMFTA and OOIDA. Listen in as NMFTA's Joe Ohr breaks down our new three-part online training series and why cybersecurity is crucial for small to medium-sized carriers as well as enterprise-level carriers.
Billions Lost, Freight Exposed: The Real Cyber & Cargo Threats
Cargo theft and cybersecurity breaches are no longer isolated incidents—they’re a growing epidemic in freight.
Rewatch this high-stakes episode of Driving Forward with guest experts Artie Crawford and Ben Wilkens from the NMFTA.
Hosted by Global Logistics Consulting Services' (GLCS) Robert Bain, this episode pulls back the curtain on the evolving threats facing trucking companies and freight brokers.
Cybersecurity & Cargo Crime: Reducing Risk for Carriers | NMFTA's Ben Wilkens
Don’t miss this discussion as NMFTA cybersecurity expert Ben Wilkens joins on-air personalities Dave Nemo and Jimmy Mac to explore real-world cargo crime risks and proactive strategies to protect your fleet. Watch now and learn how to strengthen your defenses against evolving threats.
Refer a Colleague
Would you like others at your company to be added to the NMFTA Headline Newsletter email distribution list? Send them this link or fill out the form for them on their behalf below!