September 2025
NMFTA Cyber Intelligence Newsletter
We’re witnessing an uptick in digital threats, from AI-powered ransomware to highly-coordinated attacks targeting vehicle systems and logistics infrastructure. The National Motor Freight Traffic Association, Inc. (NMFTA)™ has designed this monthly e-newsletter to arm you with intelligence, tools, and defense tactics. Each month we cover enterprise system and rolling asset security, trending reports, and more.
🔐 Secure Your Rig: Cyber Basics Every Owner-Operator Must Know
Three-Part Online Training Event
Protecting your business on the road starts with the right knowledge. Join NMFTA, on behalf of the Owner-Operator Independent Drivers Association, Cybersecurity Basics for Owner-Operators—a 3-part online training series on September 10, 17, and 24, 2025. Designed specifically for independent drivers and small fleets, this program covers essential skills like securing devices, protecting data, and spotting scams, plus practical tools and checklists you can put into action right away.
Please Note: The September 10 session is recorded and ready to be sent your way after purchase.
The NMFTA 2025 Cybersecurity Conference is NEXT Month
October 26-28, 2025 | Austin, TX
The 2025 NMFTA Cybersecurity Conference is NEXT month, now is the perfect time to register before it sells out! Registering now ensures you won’t miss the networking, insights, and hands-on training that could make all the difference for your organization. This year’s agenda will tackle today’s biggest threats, including cyber-enabled cargo theft, phishing, social engineering, protecting sensitive data, and many more.
*Tickets are going FAST and we will not open additional spaces once we are sold out. Avoid being left out by getting your tickets now.
Discover All the Reasons Why This Year is a Can't-Miss Conference
Did you join us at the sold-out Cleveland conference? Our 2025 Cybersecurity Conference is set to deliver even more energy, insights, and impact than ever before. Check out this highlight reel to relive the excitement, then grab your 2025 tickets while you can. This conference will sellout.
Who should be at the 2025 Cybersecurity Conference? Industry suppliers, trucking IT leaders, cybersecurity professionals, and supply chain experts from across the country will be in Austin, TX.
Get Your Hands Dirty With the Risk Registers and Tabletops Exercises
Team up with peers to conduct a full business risk assessment and create your own risk register, then transform that into a tabletop exercise—moving from theoretical planning to a practical resilience-building tool that can strengthen your team’s operational readiness.
Protecting Trucks, Trailers, & Tech:
NMFTA's Latest Research Project
NMFTA’s latest research projects are helping secure the trucking industry—from a heavy-vehicle cybersecurity assessment & testing platform to a study that revealed a trailer control vulnerability (CVE-2024-12054) that can be exploited via seed key exchange. This is article is a must-read to keep your trucks, trailers, and tech safe.
It's Time to Tackle Cargo Theft Head-On
Cargo criminals are finding new ways to bypass security controls. Read the article below and explore real-world case studies and expert-led strategies for preventing, detecting, and responding to theft. If you're in freight, logistics, or supply chain security, this article is a great preview of what you’ll learn at the conference, and why you can’t afford to ignore cargo crime.
Cargo is increasingly targeted through digital manipulation, fraudulent pickup requests, and hijacked identities. NMFTA’s Cybersecurity Cargo Crime Reduction Framework is your guide to understanding how modern cargo theft works. Don't wait for a costly breach, download to take immediate action and safeguard your assets.
Don’t let weak vendor practices put your fleet at risk. The Vendor Risk Assessment Framework gives you a practical checklist and scoring model to evaluate, onboard, and monitor third-party vendors. Whether you’re just starting your cybersecurity journey or refining a mature program, this free resource helps you make smarter, risk-based decisions.
Watch on Demand
Rewatch what you missed in NMFTA’s webinar, Risks on the Road: What Trucking Companies Need to Know About Chinese-Made Technology. In this webinar, the NMFTA cybersecurity team dives into how foreign-manufactured devices and components pose threats to your fleet’s safety, data, and long-term viability.
In This Month's Report...
Linux Malware Delivered Via Malicious RAR Filenames Evades
Antivirus Detection
Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.
The "Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file," Trellix researcher Sagar Bade said in a technical write-up.
"The payload isn't hidden inside the file content or a macro, it's encoded directly in the filename itself. Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger."
The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code.
What's more, the technique offers the added advantage of getting around traditional defenses, as antivirus engines don't typically scan file names.
The starting point of the attack is an email message containing a RAR archive, which includes a file with a maliciously crafted file name: "ziliao2.pdf`{echo,<Base64-encoded command>}|{base64,-d}|bash`"
Specifically, the file name incorporates Bash-compatible code that's engineered to execute commands when it's interpreted by the shell. It's worth noting that simply extracting the file from the archive does not trigger execution. Rather, it occurs only when a shell script or command attempts to parse the file name.
Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware
Organizations continue to grapple with increasingly complex cyberthreats, as ransomware groups rapidly evolve their tactics. In a recent attack wave, the Warlock ransomware group exploited internet-exposed, unpatched on-premise Microsoft SharePoint servers, abusing newly discovered vulnerabilities to gain initial access to their target’s system. Other groups such as Linen Typhoon and Violet Typhoon have also been observed exploiting these vulnerabilities against internet-facing SharePoint servers. More details on these vulnerabilities and how Trend mitigates their impact can be found in the relevant knowledge base entry.
This multi-stage attack highlights how vulnerabilities in public-facing applications, combined with stealthy lateral movement and advanced payloads, can lead to swift and devastating compromise across enterprise environments.
The Warlock ransomware campaign exemplifies how quickly threat actors can weaponize enterprise vulnerabilities for high-impact extortion activities. Through the exploitation of the SharePoint vulnerabilities, attackers were able to bypass authentication, achieve remote code execution (RCE), and rapidly pivot across compromised networks.
In this entry, Warlock provides an in-depth analysis of this ransomware campaign, including a comprehensive technical breakdown of the observed tactics, intent behind each command, and actionable recommendation guidelines. This report is intended for defenders, information security professionals, and IT administrators looking to understand the threat in detail.
ESET Discovers PromptLock, the First AI-Powered Ransomware
ESET researchers have uncovered a new type of ransomware that leverages generative artificial intelligence (GenAI) to execute attacks. Named PromptLock, the malware runs a locally accessible AI language model to generate malicious scripts in real time. During infection, the AI autonomously decides which files to search, copy, or encrypt — marking a potential turning point in how cybercriminals operate.
“The emergence of tools like PromptLock highlights a significant shift in the cyber threat landscape,” said Anton Cherepanov, senior malware researcher at ESET, who analyzed the malware alongside fellow researcher Peter Strýček.
PromptLock creates Lua scripts that are compatible across platforms, including Windows, Linux, and macOS. It scans local files, analyzes their content, and—based on predefined text prompts—determines whether to exfiltrate or encrypt the data. A destructive function is already embedded in the code, though it remains inactive for now.
The ransomware uses the SPECK 128-bit encryption algorithm and is written in Golang. Early variants have already surfaced on the malware analysis platform VirusTotal. While ESET considers PromptLock a proof of concept, the threat it represents is very real.
“With the help of AI, launching sophisticated attacks has become dramatically easier—eliminating the need for teams of skilled developers,” added Cherepanov. “A well-configured AI model is now enough to create complex, self-adapting malware. If properly implemented, such threats could severely complicate detection and make the work of cybersecurity defenders considerably more challenging.”
PromptLock uses a freely available language model accessed via an API, meaning the generated malicious scripts are served directly to the infected device. Notably, the prompt includes a Bitcoin address reportedly linked to Bitcoin creator Satoshi Nakamoto.
ESET has published technical details to raise awareness within the cybersecurity community. The malware has been classified as Filecoder.PromptLock.A.
How Fleets Can Protect Themselves From Cybercriminals
Need to stay ahead of growing cyberthreats in trucking? The latest CCJ video walks through how fleets can strengthen defenses—everything from protecting telematics and data to managing access, choosing insurance wisely, and creating a real response plan. NMFTA's very own Ben Wilkens and Artie Crawford discuss essential resources that every fleet needs in there aresenal.
H1 2025 Malware and Vulnerability Trends
The “H1 2025 Malware and Vulnerability Trends” report from Recorded Future paints a clear picture of how threat actors are combining classic malware, novel delivery methods, and weakly protected systems to gain access—163 vulnerabilities were actively exploited, almost half with public proof-of-concepts, and legacy malware like Sality is making a strong comeback. For anyone responsible for cybersecurity in their fleet, this is essential reading.
New Ransomware-as-a-Service (RaaS) Groups to Watch in 2025
Ransomware is shifting fast, and Flashpoint’s latest article spotlights new RaaS groups rising in 2025, along with the surprising decline of former heavy-hitters like LockBit and BlackCat. Read the article below to stay informed on emerging threats, from changing tactics to AI-assisted phishing.
Organizations Warned of Exploited Git Vulnerability
A newly discovered Git vulnerability (CVE-2025-48384) is already being exploited, enabling attackers to write files outside the working directory through malicious submodule paths. Read the article below for a break down of the risk, the affected versions, and the urgent steps teams should take to protect their systems.
Cybersecurity & Cargo Crime: Reducing Risk for Carriers | NMFTA's Ben Wilkens
Don’t miss this discussion as NMFTA cybersecurity expert Ben Wilkens joins on-air personalities Dave Nemo and Jimmy Mac to explore real-world cargo crime risks and proactive strategies to protect your fleet. Watch now and learn how to strengthen your defenses against evolving threats.
Billions Lost, Freight Exposed: The Real Cyber & Cargo Threats
Cargo theft and cybersecurity breaches are no longer isolated incidents—they’re a growing epidemic in freight.
Rewatch this high-stakes episode of Driving Forward with guest experts Artie Crawford and Ben Wilkens from the NMFTA.
Hosted by Global Logistics Consulting Services (GLCS) Robert Bain, this episode pulls back the curtain on the evolving threats facing trucking companies and freight brokers.
Digital Defense | Joe Ohr & Artie Crawford of the NMFTA
On the latest episode of Optym's Semi-Related Podcast, NMFTA's Chief Operating Officer Joe Ohr and Director of Cybersecurity Artie Crawford join host Jacob Eischen to discuss how dark-web ransomware rentals, AI-forged emails, and hacked telematics give thieves a back-door pass to your freight and how fleets can prepare a road-ready defense plan. They also preview the NMFTA’s Cybersecurity Conference this October and the no-cost tools rolling out to help carriers of every size stay a step ahead of the next breach.
Refer a Colleague
Would you like others at your company to be added to the NMFTA Headline Newsletter email distribution list? Send them this link or fill out the form for them on their behalf below!