October 2025
NMFTA Cyber Intelligence Newsletter
The National Motor Freight Traffic Association, Inc. (NMFTA)™ has designed this monthly e-newsletter to arm you with intelligence, tools, and defense tactics. Each month we cover enterprise system and rolling asset security, trending reports, and more.
October 26-28 | Austin, TX
This is Your Final Chance to Attend The 2025 Cybersecurity Conference!
This is your final chance to attend the 2025 NMFTA Cybersecurity Conference, don't wait until it's too late to register! Seats are disappearing fast and you don't want to miss the networking, insights, and hands-on training that can make all the difference for your organization. This year’s agenda will tackle the most pressing issues in trucking cybersecurity, including cyber-enabled cargo theft, phishing, social engineering, protecting sensitive data, and many more.
⏰It's crunch time, get your tickets NOW at nmftacyber.com.
*Tickets are going FAST and we will not open additional spaces once we are sold out. Avoid being left out by getting your tickets now.
Hot Off the Keyboard: Dive Into Our Latest Blogs
Don’t Panic—Respond: Incident Response in Action
Cyberthreats are growing, but this year's Cybersecurity Conference will show you how to turn that pressure into power. Get a preview of the sessions, experts, and insights that will help you before the next attack.
Calling All Trucking Cybersecurity Leaders:
The Time for Collaboration Is Now
Trucking cybersecurity isn’t a solo mission. Read why collaboration is the key to defending the industry and how you can get in on the action.
What Cybersecurity Trucking Professionals Need to Learn from the Secret Service Bust
Telecom attacks are hitting closer to home than you think—and the trucking industry isn’t immune. Read this breakdown of what the Secret Service uncovered in a major telecom bust and what lessons trucking cybersecurity pros need to take from it to stay protected.
Protecting the Systems That Move Us:
David Carroll to Keynote #NMFTACyber
GDIT’s David Carroll headlines this year's NMFTA Cybersecurity Conference with a powerful reminder: “Transportation is no longer just about moving goods. It’s about protecting the digital systems that make movement possible.” Read how his keynote sets the tone for a freight.
Digital manipulation, fake pickup requests, and identity hijacking are on the rise. NMFTA’s Cybersecurity Cargo Crime Reduction Framework is here to help you to understanding how modern cargo theft works. Don't wait for a costly breach, download to take immediate action and safeguard your assets.
PLUS: Download the free Vendor Risk Assessment Framework and get a practical checklist and scoring model to evaluate, onboard, and monitor third-party vendors.
In This Month's Report...
Widespread Supply Chain Compromise Impacting NPM Ecosystem
The Cybersecurity and Infrastructure Security Agency (CISA) released this Alert to provide guidance in response to a widespread software supply chain compromise involving the world’s largest JavaScript registry, npmjs.com. A self-replicating worm—publicly known as “Shai-Hulud”—has compromised over 500 packages.
After gaining initial access, the malicious cyber actor deployed malware that scanned the environment for sensitive credentials. The cyber actor then targeted GitHub Personal Access Tokens (PATs) and application programming interface (API) keys for cloud services, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
Threat Spotlight: Speed, Scale, and Stealth: How Axios Powers Automated Phishing
ReliaQuest has identified an anomalous surge in stolen credentials that likely indicates mass-automated phishing activity. Their investigation points to a rapidly evolving threat: attackers exploiting the Axios user agent—a lightweight, promisebased HTTP client—to automate phishing and credentialstealing at unprecedented scale. In recent campaigns, Axios abuse was amplified through Microsoft Direct Send, a trusted email delivery method that helps phishing traffic slip past secure gateways.
-
Explosive Growth Across Multiple Detections: Between June and August 2025, activity tied to Axios as a user agent surged by 241%, far exceeding the growth seen across all other flagged user agents. Out of 32 flagged user agents observed in this timeframe, Axios accounted for 24.44% of all activity. This makes Axios 10 times more common than any other user agent attackers are using.
-
Staggering Success Rates: In the most recent campaign we tracked, 70% of incidents leveraging Axios and Direct Send resulted in credentials being stolen successfully. Over the past three months, Axios-powered attacks had a 58% success rate overall, compared to just 9.3% for incidents without Axios.
-
Shifting Targets: Beginning in July 2025, this campaign initially focused on high-profile individuals, such as executives and managers in industries like finance, health care, and manufacturing. By August, it had broadened in scope to include everyday users.
The combination of the Axios user agent with tools like Direct Send is proving to be a game-changer for attackers, yielding far higher success rates in account takeovers than traditional phishing methods, which were only seen succeeding around 9.3% of the time over the past three months. By exploiting the trusted nature of Direct Send and leveraging Axios’s lightweight, developer-friendly design, attackers are not only scaling their operations but also streamlining attack techniques to bypass traditional security defenses with alarming precision. This efficiency allows attackers to steal credentials faster, at a scale and success rate unmatched by other methods.
Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less
In late July 2025, Arctic Wolf Labs began observing a surge of intrusions involving suspicious SonicWall SSL VPN activity. Malicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira ransomware. Victims spanned across multiple sectors and organization sizes, suggesting opportunistic mass exploitation. This campaign has recently escalated, with new infrastructure linked to it observed as late as September 20, 2025.
SonicWall links the malicious logins observed in this campaign to CVE-2024-40766, an improper access control vulnerability identified a year ago. From this perspective, credentials would have potentially been harvested from devices vulnerable to CVE-2024-40766 and later used by threat actors—even if those same devices were patched. Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled.
It is worth noting that SonicWall recently disclosed an incident involving the MySonicWall cloud backup service. While SonicWall has stated the incident was not a ransomware event, the full extent of this breach may not yet be fully known. At this time, there is no evidence linking the MySonicWall cloud backup file incident to the Akira ransomware campaign described here.
With dwell times measured in hours rather than days—among the shortest we’ve recorded for ransomware—the window for effective response against this threat is exceptionally narrow. By detecting unexpected logins from a handful of hosting-related ASNs and identifying Impacket SMB activity over the network, intrusions can be disrupted at an early stage. We present our findings here to help organizations protect against this ongoing threat.
How Today's Cybercriminals Con Their Way into Trucking Operations
NMFTA has secured a recurring monthly article in Heavy Duty Trucking. We're eager to share our insights with their readership. In our inaugural article, read as Ben Wilkens shares how cybercriminals are getting smarter and how they’re targeting trucking systems with scams that look harmless. Learn about the the tactics they’re using to infiltrate operations and how your cybersecurity teams can shore up your defenses before it’s too late.
How Fleets Can Protect Themselves From Cybercriminals
Watch as NMFTA's cybersecurity team chats with CCJ staff about actionable steps and real-world strategies that fleets are using right now to protect assets, and reduce risk.
Fake Microsoft Teams Installer Push Oyster Malware Via Malvertising
Hackers are disguising malware as Microsoft Teams installers—and companies are falling for it. Learn how the Oyster malware spreads through malvertising and what cybersecurity professionals can do to protect their organization from the trap.
Forta GoAnywhere CVSS 10 Flaw Exploited As 0-Day Week Before Public Disclosure
A critical CVSS 10 flaw in Fortra GoAnywhere is putting sensitive data at serious risk. Read this article and learn how the exploit works, who’s being targeted, and what immediate steps cybersecurity teams need to take to protect their organization.
Zscaler ThreatLabz 2025 Ransomware Report
The latest ThreatLabz report shows how fast ransomware attacks are evolving. Uncovers emerging trends, new tactics, and what your cybersecurity team needs to know to stay one step ahead of hackers.
Cybersecurity for Carrier Partners:
Check Call
In a recent episode of FreightWaves' Check Call, a podcast designed for 3PLs and brokers, host Mary O'Connell dove into a new partnership between the NMFTA and OOIDA. Listen in as NMFTA's Joe Ohr breaks down our new three-part online training series and why cybersecurity is crucial for small to medium-sized carriers as well as enterprise-level carriers.
Billions Lost, Freight Exposed: The Real Cyber & Cargo Threats
Cargo theft and cybersecurity breaches are no longer isolated incidents—they’re a growing epidemic in freight.
Rewatch this high-stakes episode of Driving Forward with guest experts Artie Crawford and Ben Wilkens from the NMFTA.
Hosted by Global Logistics Consulting Services (GLCS) Robert Bain, this episode pulls back the curtain on the evolving threats facing trucking companies and freight brokers.
Cybersecurity & Cargo Crime: Reducing Risk for Carriers | NMFTA's Ben Wilkens
Don’t miss this discussion as NMFTA cybersecurity expert Ben Wilkens joins on-air personalities Dave Nemo and Jimmy Mac to explore real-world cargo crime risks and proactive strategies to protect your fleet. Watch now and learn how to strengthen your defenses against evolving threats.
Refer a Colleague
Would you like others at your company to be added to the NMFTA Headline Newsletter email distribution list? Send them this link or fill out the form for them on their behalf below!